-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rainer,
On 11/20/2009 12:39 PM, Rainer Jung wrote:
> On 20.11.2009 18:08, Christopher Schultz wrote:
>> Rainer,
>>
>> On 11/20/2009 11:51 AM, Rainer Jung wrote:
>>> On 20.11.2009 17:20, Christopher Schultz wrote:
>>>> If you continue reading, you can see that mod_jk sends at least part of
>>>> the first certificate. I seem to recall that mod_jk in debug mode only
>>>> logs part of the request, so it's possible that more information is
>>>> being sent than is being logged, so I can't tell if everything gets sent.
>>
>>> Quick partial answer before I read and understand everything: mod_jk
>>> will log full packets with JkLogLevel trace. Debug truncates the logged
>>> data.
>>
>> Okay, that sounded familiar. I'll turn on trace and get my eyes ready
>> for a long day :)
>>
>> In the meantime, it does look like mod_jk intends to send the whole
>> certificate chain over to Tomcat. Am I doing this right?
>
> I would say yes.
Okay, good. Thanks for the confirmation that it looks like I'm doing
what I should be doing.
> What I'm not so sure about is the root certificate. The
> root should be owned by the web server, otherwise the whole validation
> is useless.
Absolutely. In my case, the client has been provided with all 4 certs
(Root, Signing Root, Signing Sub, and Client itself). I haven't sniffed
the HTTP stream to see what's being sent by the client. If you have a
suggestion for how to sniff an SSL stream, I'm all ears :)
> So I don't know, whether all certs including the root should
> be forwarded, or only all except the root.
It appears that mod_jk is prepared to send all but the root certificate.
I can live with that, because I'm expecting to use the root cert on the
server to do the validation :) What I'm /not/ using right now is a
keystore: I just have the bare, PEM-encoded root certificate that's
being read by my test JSP file attached to my original post.
> You can log those env vars in the access log using the %{xxx}e
> notation (xxx being the name of the var) to check, whether httpd shows
> all of the chain, or only all except the root.
I think I'll go ahead and to that. But, I'll read your other 42 posts
before I do :)
> I can try to dig into
> httpd code to understand it as well.
Thanks for all your help, Rainer.
> Why you do not get a chain and instead only one cert is still open.
Yup. This is my only real question.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksHBIkACgkQ9CaO5/Lv0PBP6gCgjlHD1eEU0Axz7+WsRaDc7FSK
4GwAn2955kDkR3eV/bh21AyuB7tIJsSO
=Omi4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
