I've a setup where Apache 2.2 is fronting Tomcat 6.0.20. They are talking
AJP/1.3
Using mod_proxy_ajp.
I've a URL protected by client SSL. Apache prompts for client certificate and I
can get to the cert in my webapp (servlet).
However, when the cert have intermediate CAs, I still only get the leaf cert
and Not the cert-chain in my tomcat webapp !
Could not find a setting on apache (mod_proxy_ajp) to send cert-chain.
And even if it did, the tomcat code looks like it only wants to get single cert!
org.apache.jk.core.MsgContext public void action(ActionCode actionCode, Object
param) {...
} else if( actionCode==ActionCode.ACTION_REQ_SSL_ATTRIBUTE ) {
Request req=(Request)param;
// Extract SSL certificate information (if requested)
MessageBytes certString =
(MessageBytes)req.getNote(WorkerEnv.SSL_CERT_NOTE);
if( certString != null && !certString.isNull() ) {
ByteChunk certData = certString.getByteChunk();
ByteArrayInputStream bais =
new ByteArrayInputStream(certData.getBytes(),
certData.getStart(),
certData.getLength());
// Fill the first element.
X509Certificate jsseCerts[] = null;
try {
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)
cf.generateCertificate(bais);
jsseCerts = new X509Certificate[1];
jsseCerts[0] = cert;
} catch(java.security.cert.CertificateException e) {
log.error("Certificate convertion failed" , e );
return;
}
>>> Can possibly change it to something like (assuming the cert-chain gets
>>> passed in WorkerEnv.SSL_CERT_NOTE)
Collection <? extends Certificate> certCollection =
cf.generateCertificates(bais);
X509Certificate [] certs = new
X509Certificate[certCollection.size()];
int i = 0;
for (Certificate cert: certCollection) {
certs[i] = (X509Certificate)cert;
i++;
}
I tried it w/ Tomcat 5.5.27 as well with similar result.
Also, tried with original Java connector org.apache.jk.server.JkCoyoteHandle &
the new org.apache.coyote.ajp.AjpProtocol with similar results.
Seems like a bug ?? Or am I missing anything ?
Any prompt help is appreciated.
Thanks
