>
>> But what did we need to have present in SPEC ?
>> client cert and ca cert or only client cert ?
>
>*All* certs in the chain are required for authentication.
>There could be
> several tiers: i.e. CA 1 signs CA 2's cert, then CA 2 signs the
>company cert. I don't know what the specs have to say, and I
>don't know
>what the impact on the connectors is, but in order for client
>authentication to work correctly, I need the whole chain.
So are you sure we get all the certs from mod_ssl ?
We're currently use var SSL_CLIENT_CERT :
If you take a look at mod_ssl doc you'll see :
http://www.modssl.org/docs/2.8/ssl_reference.html
SSL_CLIENT_CERT string PEM-encoded client certificate
SSL_CLIENT_CERT_CHAINn string PEM-encoded certificates in client certificate
chain
To follow fully the spec will have to use also
SSL_CLIENT_CERT_CHAINn (n = 0 -> x)
That will be just too many vars (bytes) to send each
time we forward a request.
It's something I plan to handle differently in ajp14
(asked to web-server if tomcat/servlet dev need it),
but for now couldn't we assume we only need
client cert only for strict 2.2 compliance ?
Craig just said :
2.2 just says "an array".
2.3 says "The order of this array is defined as being in ascending
order of trust. The first certificate in the chain is the one set by the
client, the next is the one used to authenticate the first, and so on."
What about ?
