Re: mod_jk & Client SSL Certificates

Thu, 22 Oct 2009 14:22:15 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rainer,

On 10/22/2009 3:22 PM, Rainer Jung wrote:
> Not sure, but here are some steps to close the gap:
> 
> Apache itself should put the cert into a so-called environment variable
> names "SSL_CLIENT_CERT". You can log env vars in the access log by
> adding "%{SSL_CLIENT_CERT}e" to your LogFormat. That way you can first
> check, whether the cert data is present in Apache.

Okay, here's what I have for relevant Apache httpd configuration:

SSLEngine on

SSLCipherSuite \
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile ...
SSLCertificateKeyFile ...

SSLCACertificateFile /path/to/ca.crt
JkOptions +ForwardSSLCertChain

CustomLog /var/log/apache2/wtf.log \
  "%t %h proto=%{SSL_PROTOCOL}x cipher=%{SSL_CIPHER}x
cert=%{SSL_CLIENT_CERT}e \"%r\" %b"

<Location /diagnosis/admin/ClientCertInfo.jsp>
  SSLVerifyClient require
  SSLVerifyDepth 1

  JkMount worker3
</Location>

When I request /diagnosis/admin/ClientCertInfo.jsp, I get this message
in my wtf.log file:

[22/Oct/2009:17:13:13 -0400] 192.168.1.200 proto=TLSv1
cipher=DHE-RSA-CAMELLIA256-SHA cert=- "GET
/diagnosis/admin/ClientCertInfo.jsp?foo=bar HTTP/1.1" 36

So, it looks like the cert isn't being set in the environment variable.

If I connect using a browser without the client certificate installed (I
have Mozilla set up with the client cert, while MSIE does not have the
client cert), then I get a connection error (stupid MSIE "friendly"
error message).

This leads me to believe that the "SSLVerifyClient require" is having
the desired effect.

Any thoughts as to why the SSL_CLIENT_CERT environment variable is not
being set?

I even tried adding:

  SSLOptions +StdEnvVars

...but that seemed to have no effect.

I'm guessing once I get past this problem, the rest ought to work (also
ducks and runs!).

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrgzOIACgkQ9CaO5/Lv0PCmxQCfZWCq9+W0XDloCvTIu/IcCKio
fXcAoMQApso3baeO+gRa+OtcZm/t1LdY
=tyks
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to