You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Stern <st...@hotmail.com> on 2004/05/12 13:09:03 UTC

SSL_CLIENT_S_DN and proxy

When using Apache as a proxy:
  ( brower  --https-->  Apache + mod_proxy  --https-->  Web server )
the Web server never receives the user's certificate info, because only the
proxy is seen by the Web server. That means that all headers SSL_CLIENT_*
contain the proxy certificate info, not the user certificate info.

Is there a way to get the user's certificate info ?
Otherwise, I propose to add (at least) a header containing the client
Distinguish Name (something like SSL_REMOTE_CLIENT_S_DN ?).

This value should be passed without modification through all proxies.
As the client could spoof it, we also need a parameter to explicitely state
that we accept the given header; if not, we overwrite it.

Does this sound reasonable ?

Marc

Re: SSL_CLIENT_S_DN and proxy

Posted by Marc Stern <st...@hotmail.com>.

>From what I understand - and it seems confirmed by the test I made - the
header is modified (created) before Apache populates the value.
I tried with the header HTTP_HOST "RequestHeader set X-HOST %{HTTP_HOST}e)",
and the header is created, but empty.

Is the same feature available, but at the end of the treatment ?

Marc

----- Original Message ----- 
From: "Joe Orton" <jo...@redhat.com>
To: <de...@httpd.apache.org>
Sent: Wednesday, May 12, 2004 3:27 PM
Subject: Re: SSL_CLIENT_S_DN and proxy


> On Wed, May 12, 2004 at 01:09:03PM +0200, Marc Stern wrote:
> > When using Apache as a proxy:
> >   ( brower  --https-->  Apache + mod_proxy  --https-->  Web server )
> > the Web server never receives the user's certificate info, because only
the
> > proxy is seen by the Web server. That means that all headers
SSL_CLIENT_*
> > contain the proxy certificate info, not the user certificate info.
> >
> > Is there a way to get the user's certificate info ?
>
> On the proxy use, e.g.:
>
> SSLOptions +StdEnvVars
> RequestHeader set X-Foo %{SSL_CLIENT_S_DN}e
>
> and the client DN is passed through to the backend in the X-Foo header.
>
> joe
>

Re: SSL_CLIENT_S_DN and proxy

Posted by Joe Orton <jo...@redhat.com>.

On Wed, May 12, 2004 at 01:09:03PM +0200, Marc Stern wrote:
> When using Apache as a proxy:
>   ( brower  --https-->  Apache + mod_proxy  --https-->  Web server )
> the Web server never receives the user's certificate info, because only the
> proxy is seen by the Web server. That means that all headers SSL_CLIENT_*
> contain the proxy certificate info, not the user certificate info.
> 
> Is there a way to get the user's certificate info ?

On the proxy use, e.g.:

SSLOptions +StdEnvVars
RequestHeader set X-Foo %{SSL_CLIENT_S_DN}e

and the client DN is passed through to the backend in the X-Foo header.

joe