You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/05/25 00:39:19 UTC

DO NOT REPLY [Bug 49335] New: Client certificate not passed to Tomcat

https://issues.apache.org/bugzilla/show_bug.cgi?id=49335

           Summary: Client certificate not passed to Tomcat
           Product: Tomcat Connectors
           Version: 1.2.30
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_jk
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: markt@apache.org


Windows XP 64 bit, fully patched
httpd 2.2.15
mod_jk 1.2.30
Tomcat 7.0.0-RC3

I have been unable to get mod_jk to pass SSL certificate information to Tomcat.
The set-up works since if I switch my JkMount for a ProxyPass (using
mod_proxy_ajp) Tomcat receives the client certificate information. I am
therefore sure that the SSL authentication is correctly set-up in httpd.

Running the mod_jk log at debug level shows mod_jk recognises that this is an
SSL request but fails to pass on the client certificate.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 49335] Client certificate not passed to Tomcat

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49335

--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> 2010-05-24 20:03:24 EDT ---
Is it reproducible in 7.0 RC3 only, or in 6.0.x as well?

Is Tomcat running with 32-bit or 64-bit JRE? Is Tomcat-Native used?

Does this certificate fit into a single AJP packet, along with other request
headers? Sure that it does fit, because otherwise there must be an error
logged.

I wonder, how the AJP packet created by mod_jk differs from the one created by
mod_proxy_ajp.


In mod_jk the place where SSL certificate is appended to the packet is
native\common\jk_ajp_common.c
-- look for SC_A_SSL_CERT there

In mod_proxy_ajp of Apache 2.2.x the SSL certificates are appended in
modules\proxy\ajp_header.c
-- look for SC_A_SSL_CERT there

By quick look the code there looks quite similar, but there might be a
difference on how information on the presence of a certificate is obtained.

What JkOptions directives are used in the configuration?
I see that mod_jk can send a whole certificate chain if +ForwardSSLCertChain
option is used (off by default). It looks that mod_proxy_ajp cannot send the
certificate chain.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 49335] Client certificate not passed to Tomcat

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49335

Rainer Jung <ra...@kippdata.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #3 from Rainer Jung <ra...@kippdata.de> 2010-05-25 08:57:52 EDT ---
The solution should be: add "SSLOptions +ExportCertData", and if you want to
get information like SSL session id, etc. in addition also add "SSLOptions
+StdEnvVars". Confirmed by code inspection and by testing.

mod_proxy gets the data directly from mod_ssl through an ssl variable lookup.
mod_jk uses the export to environment feature of mod_ssl, which has to be
activated explicitely.

I added a note about that to the docs pages "Apache Reference" and "Reverse
Proxy HowTo". See r948029.

Please reopen, if it does still not work. Thanks for the report.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 49335] Client certificate not passed to Tomcat

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49335

--- Comment #2 from Mark Thomas <ma...@apache.org> 2010-05-25 04:20:52 EDT ---
(In reply to comment #1)
> Is it reproducible in 7.0 RC3 only, or in 6.0.x as well?
Both. Given that the mod_jk logs showed that no certificate was being sent,
this is expected. 

> Is Tomcat running with 32-bit or 64-bit JRE? Is Tomcat-Native used?
Not relevant. This isn't an AJP connector issue.

> Does this certificate fit into a single AJP packet, along with other request
> headers? Sure that it does fit, because otherwise there must be an error
> logged.
Yes, else a) there would be an error and b) mod_proxy_ajp wouldn't work either.

> What JkOptions directives are used in the configuration?
The bare minimum:
JkWorkersFile    conf/workers.properties
JkShmFile    logs/mod_jk.shm
JkLogFile    logs/mod_jk.log

Non-SSL requests work without issue.

The relevant parts of the SSL virtual host are:
<Location /bugs-tc5/bug37869.jsp >
    SSLVerifyClient    require
</Location>

This works:
ProxyPass /bugs-tc5/bug37869.jsp ajp://localhost:8009/bugs-tc5/bug37869.jsp

This fails:
JkMount /bugs-tc5/bug37869.jsp worker1

That JSP is configured on the Tomcat side to require SSL, require a specific
client certificate and to display the DN of the supplied cert.

With mod_proxy_ajp everything works.

With mod_jk no certificate is present in the request received by Tomcat. This
has been verified a) bu reviewing the mod_jk logs, b) debugging Tomcat parsing
the AJP request.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 49335] Client certificate not passed to Tomcat

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49335

--- Comment #4 from Mark Thomas <ma...@apache.org> 2010-05-25 09:28:47 EDT ---
That sounds like it. I had SSLOptions +StdEnvVars but not SSLOptions
+ExportCertData"

I'll test this when I am back in front of that machine and re-open if I still
have an issue.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org