-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rainer,
On 11/20/2009 12:39 PM, Rainer Jung wrote: > On 20.11.2009 18:08, Christopher Schultz wrote: >> Rainer, >> >> On 11/20/2009 11:51 AM, Rainer Jung wrote: >>> On 20.11.2009 17:20, Christopher Schultz wrote: >>>> If you continue reading, you can see that mod_jk sends at least part of >>>> the first certificate. I seem to recall that mod_jk in debug mode only >>>> logs part of the request, so it's possible that more information is >>>> being sent than is being logged, so I can't tell if everything gets sent. >> >>> Quick partial answer before I read and understand everything: mod_jk >>> will log full packets with JkLogLevel trace. Debug truncates the logged >>> data. >> >> Okay, that sounded familiar. I'll turn on trace and get my eyes ready >> for a long day :) >> >> In the meantime, it does look like mod_jk intends to send the whole >> certificate chain over to Tomcat. Am I doing this right? > > I would say yes. Okay, good. Thanks for the confirmation that it looks like I'm doing what I should be doing. > What I'm not so sure about is the root certificate. The > root should be owned by the web server, otherwise the whole validation > is useless. Absolutely. In my case, the client has been provided with all 4 certs (Root, Signing Root, Signing Sub, and Client itself). I haven't sniffed the HTTP stream to see what's being sent by the client. If you have a suggestion for how to sniff an SSL stream, I'm all ears :) > So I don't know, whether all certs including the root should > be forwarded, or only all except the root. It appears that mod_jk is prepared to send all but the root certificate. I can live with that, because I'm expecting to use the root cert on the server to do the validation :) What I'm /not/ using right now is a keystore: I just have the bare, PEM-encoded root certificate that's being read by my test JSP file attached to my original post. > You can log those env vars in the access log using the %{xxx}e > notation (xxx being the name of the var) to check, whether httpd shows > all of the chain, or only all except the root. I think I'll go ahead and to that. But, I'll read your other 42 posts before I do :) > I can try to dig into > httpd code to understand it as well. Thanks for all your help, Rainer. > Why you do not get a chain and instead only one cert is still open. Yup. This is my only real question. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksHBIkACgkQ9CaO5/Lv0PBP6gCgjlHD1eEU0Axz7+WsRaDc7FSK 4GwAn2955kDkR3eV/bh21AyuB7tIJsSO =Omi4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org