Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain

Fri, 01 Feb 2008 15:21:18 -0800 

Hi Rafael,
if your certificate chain is to large for the default AJP packet size of app. 8KB and you increase via max_packet_size, you need to change your Tomcat connector settings as well. See max_packet_size in 

http://tomcat.apache.org/connectors-doc/reference/workers.html

Didn't try it myself, let us know if it works.


If you can easily test this with one or few requests, you can set 
JkLogLevel trace and you'll see the complete packet traffic between 
httpd and Tomcat.


Regards,

Rainer

Rafael Rossetto schrieb:

Bruno,

     I tried to change my conf file, the only thing I didn't set before was:
    - JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT

    When I set this option the Firefox give me the following error:
    Request Entity Too Large

    So I changed the workers.properties to set the max_packet_size
bigger. And the Entity Too Large Error stopped.

    But the thing is, I still don't get the cert chain through the
request.getAttribute("javax.servlet.request.X509Certificate").

    Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
cert chain?

Thanks,
Rafael

On 2/1/08, Bruno Harbulot <[EMAIL PROTECTED]> wrote:

Hi,

Rafael Rossetto wrote:

    I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
ssl.conf I also use the SSLVerifyClient require(tried optional and
optional_no_ca), so the client certificate validation in Apache seems
all right to me. And the SSLOptions is SSLOptions +StdEnvVars
+ExportCertData.

Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
by default anyway)?

I generally use this:

JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
JkOptions +ForwardSSLCertChain

and this in the relevant VirtualHost:

         SSLEngine       on
         SSLCertificateFile      ...
         SSLCertificateKeyFile   ...
         SSLCACertificatePath    ...
         SSLCARevocationPath     ...
         SSLVerifyClient         optional
         SSLVerifyDepth          5
         SSLOptions              +ExportCertData +StdEnvVars


I get the full chain with this.

Best wishes,

Bruno.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to