You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jesús Luna <j....@certiver.com> on 2004/10/06 11:41:16 UTC
Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
Hi everybody,
Currently I'm developing a servlet that validates with our OCSP service a
user certificate received from Apache v1.3.29 (with mod_ssl v2.8.16 and
ajp13 workers), but the problem is that I need to extract some data about
the correspondent client certificate chain to build the OCSP request and
I've not been able to obtain this from Tomcat v4.1.30 (with mod_jk v1.2) all
under Linux. I'm pretty sure that it's not a configuration problem because
my servlet is already retrieving additional information from mod_jk (i.e.
the client certificate, cipher, protocol and other SSL_ environment
variables from Apache/mod_ssl).
Anyway, in mod_jk I've tried the following directives:
JkEnvVar SSL_CLIENT_CERT_CHAIN_0 SSL_CLIENT_CERT_CHAIN_0
JkEnvVar SSL_CLIENT_CERT_CHAIN_1 SSL_CLIENT_CERT_CHAIN_1
.
.
etc
An then from my Java servlet:
String chain0 = (String) request.getAttribute("SSL_CLIENT_CERT_CHAIN_0");
// Also tried it like an X509Certificate object
// Variable chain0 appears equal to the string
"SSL_CLIENT_CERT_CHAIN_0"
X509Certificate[] cert
=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certific
ate");
// Only getting one certificate in the array, the correspondent to the
SSL client
// No certificates from the chain
Finally, I've been browsing trough some emails on this list that talk about
performance issues with the cert chain extraction so I don´t know if this
feature may be unavailable or something like this.
Thank you in advance for your help, best regards
_______________________
Jesus Luna Garcia
CertiVeR (U.E. Funded Project)
j.luna@certiver.com
http://www.certiver.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
RE: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
Posted by Jesús Luna <j....@certiver.com>.
> -----Mensaje original-----
> De: jean-frederic clere [mailto:jfrederic.clere@fujitsu-siemens.com]
> Enviado el: miércoles, 06 de octubre de 2004 16:54
> Para: Tomcat Developers List
> Asunto: Re: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
>
> What do have in httpd.conf?
>
>
In my httpd.conf I've appended the following lines related to mod_ssl and
mod_jk:
Include /usr/local/java/tomcat4/conf/mod_jk.conf
Include /usr/local/apache/conf/ssl.conf
File mod_jk.conf looks like this:
<IfModule !mod_jk.c>
LoadModule jk_module "/usr/local/apache/libexec/mod_jk.so"
</IfModule>
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkEnvVar SSL_PROTOCOL sslProtocol
JkEnvVar SSL_CLIENT_CERT_CHAIN_0 SSL_CLIENT_CERT_CHAIN_0
JkEnvVar SSL_SERVER_CERT SSL_SERVER_CERT
JkWorkersFile "/usr/local/java/tomcat4/conf/workers.properties"
JkLogFile "/var/log/httpd/mod_jk.log"
JkLogLevel debug
And file ssl.conf:
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
<VirtualHost _default_:443>
DocumentRoot "/usr/local/httpd/sslhtdocs"
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/smurf.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/smurf.key
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
SSLCARevocationPath /usr/local/apache/conf/ssl.crl
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +ExportCertData
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#################### www.semarket.com:/certiver ####################
# Static files
Alias /certiver "/usr/local/java/tomcat4/webapps/certiver"
<Directory "/usr/local/java/tomcat4/webapps/certiver">
Options Indexes FollowSymLinks
DirectoryIndex index.jsp index.html
</Directory>
<Location "/certiver/WEB-INF/*">
AllowOverride None
deny from all
</Location>
<Location "/certiver/META-INF/*">
AllowOverride None
deny from all
</Location>
JkMount /certiver/* ajp13
</VirtualHost>
</IfDefine>
Thanks!
_______________________
Jesus Luna Garcia
CertiVeR (U.E. Funded Project)
j.luna@certiver.com
http://www.certiver.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Jesús Luna wrote:
> Hi everybody,
> Currently I'm developing a servlet that validates with our OCSP service a
> user certificate received from Apache v1.3.29 (with mod_ssl v2.8.16 and
> ajp13 workers), but the problem is that I need to extract some data about
> the correspondent client certificate chain to build the OCSP request and
> I've not been able to obtain this from Tomcat v4.1.30 (with mod_jk v1.2) all
> under Linux. I'm pretty sure that it's not a configuration problem because
> my servlet is already retrieving additional information from mod_jk (i.e.
> the client certificate, cipher, protocol and other SSL_ environment
> variables from Apache/mod_ssl).
What do have in httpd.conf?
>
> Anyway, in mod_jk I've tried the following directives:
> JkEnvVar SSL_CLIENT_CERT_CHAIN_0 SSL_CLIENT_CERT_CHAIN_0
> JkEnvVar SSL_CLIENT_CERT_CHAIN_1 SSL_CLIENT_CERT_CHAIN_1
> .
> .
> etc
>
> An then from my Java servlet:
> String chain0 = (String) request.getAttribute("SSL_CLIENT_CERT_CHAIN_0");
> // Also tried it like an X509Certificate object
> // Variable chain0 appears equal to the string
> "SSL_CLIENT_CERT_CHAIN_0"
>
> X509Certificate[] cert
> =(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certific
> ate");
> // Only getting one certificate in the array, the correspondent to the
> SSL client
> // No certificates from the chain
>
> Finally, I've been browsing trough some emails on this list that talk about
> performance issues with the cert chain extraction so I don´t know if this
> feature may be unavailable or something like this.
>
> Thank you in advance for your help, best regards
>
> _______________________
> Jesus Luna Garcia
> CertiVeR (U.E. Funded Project)
> j.luna@certiver.com
> http://www.certiver.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org