You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mt...@apache.org on 2007/03/19 08:08:30 UTC
svn commit: r519858 - in /tomcat/connectors/trunk/jk:
java/org/apache/jk/common/ java/org/apache/jk/core/ native/apache-1.3/
native/apache-2.0/ native/common/ xdocs/miscellaneous/ xdocs/reference/
Author: mturk
Date: Mon Mar 19 00:08:28 2007
New Revision: 519858
URL: http://svn.apache.org/viewvc?view=rev&rev=519858
Log:
Add ForwardSSLCertChain JkOption.
Modified:
tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java
tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java
tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
tomcat/connectors/trunk/jk/native/common/jk_global.h
tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java (original)
+++ tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java Mon Mar 19 00:08:28 2007
@@ -128,6 +128,14 @@
mc.getSource().flush(outputMsg, mc);
}
+ public void flushMessage() throws IOException {
+ outputMsg.reset();
+ outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_BODY_CHUNK);
+ outputMsg.appendInt(0);
+ outputMsg.appendByte(0);
+ mc.getSource().send(outputMsg, mc);
+ mc.getSource().flush(outputMsg, mc);
+ }
// -------------------- OutputBuffer implementation --------------------
Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java (original)
+++ tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java Mon Mar 19 00:08:28 2007
@@ -278,6 +278,7 @@
if( log.isDebugEnabled() ) log.debug("CLIENT_FLUSH " );
try {
source.flush( null, this );
+ jkIS.flushMessage();
} catch(IOException iex) {
// This is logged elsewhere, so debug only here
log.debug("Error during flush",iex);
Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Mon Mar 19 00:08:28 2007
@@ -68,6 +68,7 @@
#define JK_ENV_CIPHER ("SSL_CIPHER")
#define JK_ENV_SESSION ("SSL_SESSION_ID")
#define JK_ENV_KEY_SIZE ("SSL_CIPHER_USEKEYSIZE")
+#define JK_ENV_CERTCHAIN_PREFIX ("SSL_CLIENT_CERT_CHAIN_")
#define JK_ENV_WORKER_NAME ("JK_WORKER_NAME")
#define JK_NOTE_WORKER_NAME ("JK_WORKER_NAME")
#define JK_NOTE_WORKER_TYPE ("JK_WORKER_TYPE")
@@ -167,6 +168,7 @@
char *cipher_indicator;
char *session_indicator;
char *key_size_indicator;
+ char *certchain_prefix; /* Client certificate chain prefix */
/*
* Jk Options
@@ -648,8 +650,34 @@
s->ssl_cert =
(char *)ap_table_get(r->subprocess_env,
conf->certs_indicator);
+
+ if (conf->options & JK_OPT_FWDCERTCHAIN) {
+ array_header *t = ap_table_elts(r->subprocess_env);
+ if (t && t->nelts) {
+ int i;
+ table_entry *elts = (table_entry *) t->elts;
+ array_header *certs = ap_make_array(r->pool, 1,
+ sizeof(char *));
+ *(const char **)ap_push_array(certs) = s->ssl_cert;
+ for (i = 0; i < t->nelts; i++) {
+ if (!elts[i].key)
+ continue;
+ if (!strncasecmp(elts[i].key,
+ conf->certchain_prefix,
+ strlen(conf->certchain_prefix)))
+ *(const char **)ap_push_array(certs) = elts[i].val;
+ }
+ s->ssl_cert = ap_array_pstrcat(r->pool, certs, '\0');
+ }
+ }
+
if (s->ssl_cert) {
s->ssl_cert_len = strlen(s->ssl_cert);
+ if (JK_IS_DEBUG_LEVEL(conf->log)) {
+ jk_log(conf->log, JK_LOG_DEBUG,
+ "SSL client certificate (%d bytes):\n%s",
+ s->ssl_cert_len, s->ssl_cert);
+ }
}
/* Servlet 2.3 API */
s->ssl_cipher =
@@ -1586,6 +1614,25 @@
}
/*
+ * JkCERTCHAINPrefix Directive Handling
+ *
+ * JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_
+ */
+
+static const char *jk_set_certchain_prefix(cmd_parms * cmd,
+ void *dummy, const char *prefix)
+{
+ server_rec *s = cmd->server;
+ jk_server_conf_t *conf =
+ (jk_server_conf_t *) ap_get_module_config(s->module_config,
+ &jk_module);
+
+ conf->certchain_prefix = ap_pstrdup(cmd->pool, prefix);
+
+ return NULL;
+}
+
+/*
* JkSESSIONIndicator Directive Handling
*
* JkSESSIONIndicator SSL_SESSION_ID
@@ -1631,6 +1678,8 @@
* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
* ForwardDirectories => Forward all directory requests with no index files to Tomcat
+ * +ForwardSSLCertChain => Forward SSL certificate chain
+ * -ForwardSSLCertChain => Don't forward SSL certificate chain
*/
const char *jk_set_options(cmd_parms * cmd, void *dummy, const char *line)
@@ -1689,6 +1738,9 @@
else if (!strcasecmp(w, "DisableReuse")) {
opt = JK_OPT_DISABLEREUSE;
}
+ else if (!strcasecmp(w, "ForwardCertChain")) {
+ opt = JK_OPT_FWDCERTCHAIN;
+ }
else
return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
"'", NULL);
@@ -1874,6 +1926,8 @@
"Name of the Apache environment that contains SSL client certificates"},
{"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,
"Name of the Apache environment that contains SSL client cipher"},
+ {"JkCERTCHAINPrefix", jk_set_certchain_prefix, NULL, RSRC_CONF, TAKE1,
+ "Name of the Apache environment (prefix) that contains SSL client chain certificates"},
{"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1,
"Name of the Apache environment that contains SSL session"},
{"JkKEYSIZEIndicator", jk_set_key_size_indicator, NULL, RSRC_CONF, TAKE1,
@@ -1889,6 +1943,8 @@
* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
+ * +ForwardSSLCertChain => Forward SSL certificate chain
+ * -ForwardSSLCertChain => Don't forward SSL certificate chain
*/
{"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS,
"Set one of more options to configure the mod_jk module"},
@@ -2156,6 +2212,7 @@
c->https_indicator = NULL;
c->certs_indicator = NULL;
c->cipher_indicator = NULL;
+ c->certchain_prefix = NULL;
c->session_indicator = NULL;
c->key_size_indicator = NULL;
c->strip_session = JK_UNSET;
@@ -2176,6 +2233,7 @@
c->https_indicator = JK_ENV_HTTPS;
c->certs_indicator = JK_ENV_CERTS;
c->cipher_indicator = JK_ENV_CIPHER;
+ c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
c->session_indicator = JK_ENV_SESSION;
c->key_size_indicator = JK_ENV_KEY_SIZE;
c->strip_session = JK_FALSE;
@@ -2245,6 +2303,8 @@
overrides->certs_indicator = base->certs_indicator;
if (!overrides->cipher_indicator)
overrides->cipher_indicator = base->cipher_indicator;
+ if (!overrides->certchain_prefix)
+ overrides->certchain_prefix = base->certchain_prefix;
if (!overrides->session_indicator)
overrides->session_indicator = base->session_indicator;
if (!overrides->key_size_indicator)
Modified: tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c Mon Mar 19 00:08:28 2007
@@ -116,6 +116,7 @@
#define JK_ENV_CIPHER ("SSL_CIPHER")
#define JK_ENV_SESSION ("SSL_SESSION_ID")
#define JK_ENV_KEY_SIZE ("SSL_CIPHER_USEKEYSIZE")
+#define JK_ENV_CERTCHAIN_PREFIX ("SSL_CLIENT_CERT_CHAIN_")
#define JK_ENV_WORKER_NAME ("JK_WORKER_NAME")
#define JK_NOTE_WORKER_NAME ("JK_WORKER_NAME")
#define JK_NOTE_WORKER_TYPE ("JK_WORKER_TYPE")
@@ -204,6 +205,7 @@
char *cipher_indicator;
char *session_indicator; /* Servlet API 2.3 requirement */
char *key_size_indicator; /* Servlet API 2.3 requirement */
+ char *certchain_prefix; /* Client certificate chain prefix */
/*
* Jk Options
@@ -677,8 +679,32 @@
s->ssl_cert =
(char *)apr_table_get(r->subprocess_env,
conf->certs_indicator);
+
+ if (conf->options & JK_OPT_FWDCERTCHAIN) {
+ const apr_array_header_t *t = apr_table_elts(r->subprocess_env);
+ if (t && t->nelts) {
+ int i;
+ const apr_table_entry_t *elts = (const apr_table_entry_t *) t->elts;
+ apr_array_header_t *certs = apr_array_make(r->pool, 1, sizeof(char *));
+ *(const char **)apr_array_push(certs) = s->ssl_cert;
+ for (i = 0; i < t->nelts; i++) {
+ if (!elts[i].key)
+ continue;
+ if (!strncasecmp(elts[i].key, conf->certchain_prefix,
+ strlen(conf->certchain_prefix)))
+ *(const char **)apr_array_push(certs) = elts[i].val;
+ }
+ s->ssl_cert = apr_array_pstrcat(r->pool, certs, '\0');
+ }
+ }
+
if (s->ssl_cert) {
s->ssl_cert_len = strlen(s->ssl_cert);
+ if (JK_IS_DEBUG_LEVEL(conf->log)) {
+ jk_log(conf->log, JK_LOG_DEBUG,
+ "SSL client certificate (%d bytes):\n%s",
+ s->ssl_cert_len, s->ssl_cert);
+ }
}
/* Servlet 2.3 API */
s->ssl_cipher =
@@ -696,6 +722,8 @@
if (ssl_temp)
s->ssl_key_size = atoi(ssl_temp);
}
+
+
}
}
@@ -1614,6 +1642,25 @@
}
/*
+ * JkCERTCHAINPrefix Directive Handling
+ *
+ * JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_
+ */
+
+static const char *jk_set_certchain_prefix(cmd_parms * cmd,
+ void *dummy, const char *prefix)
+{
+ server_rec *s = cmd->server;
+ jk_server_conf_t *conf =
+ (jk_server_conf_t *) ap_get_module_config(s->module_config,
+ &jk_module);
+
+ conf->certchain_prefix = apr_pstrdup(cmd->pool, prefix);
+
+ return NULL;
+}
+
+/*
* JkSESSIONIndicator Directive Handling
*
* JkSESSIONIndicator SSL_SESSION_ID
@@ -1663,6 +1710,8 @@
* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
* ForwardDirectories => Forward all directory requests with no index files to Tomcat
+ * +ForwardSSLCertChain => Forward SSL Cert Chain
+ * -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default)
*/
static const char *jk_set_options(cmd_parms * cmd, void *dummy,
@@ -1722,6 +1771,9 @@
else if (!strcasecmp(w, "DisableReuse")) {
opt = JK_OPT_DISABLEREUSE;
}
+ else if (!strcasecmp(w, "ForwardCertChain")) {
+ opt = JK_OPT_FWDCERTCHAIN;
+ }
else
return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
"'", NULL);
@@ -1925,6 +1977,8 @@
AP_INIT_TAKE1("JkKEYSIZEIndicator", jk_set_key_size_indicator, NULL,
RSRC_CONF,
"Name of the Apache environment that contains SSL key size in use"),
+ AP_INIT_TAKE1("JkCERTCHAINPrefix", jk_set_certchain_prefix, NULL, RSRC_CONF,
+ "Name of the Apache environment (prefix) that contains SSL client chain certificates"),
AP_INIT_FLAG("JkExtractSSL", jk_set_enable_ssl, NULL, RSRC_CONF,
"Turns on SSL processing and information gathering by mod_jk"),
@@ -1936,6 +1990,8 @@
* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
+ * +ForwardSSLCertChain => Forward SSL certificate chain
+ * -ForwardSSLCertChain => Don't forward SSL certificate chain
*/
AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF,
"Set one of more options to configure the mod_jk module"),
@@ -2280,6 +2336,7 @@
c->https_indicator = NULL;
c->certs_indicator = NULL;
c->cipher_indicator = NULL;
+ c->certchain_prefix = NULL;
c->session_indicator = NULL;
c->key_size_indicator = NULL;
c->strip_session = JK_UNSET;
@@ -2300,6 +2357,7 @@
c->https_indicator = JK_ENV_HTTPS;
c->certs_indicator = JK_ENV_CERTS;
c->cipher_indicator = JK_ENV_CIPHER;
+ c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX;
c->session_indicator = JK_ENV_SESSION;
c->key_size_indicator = JK_ENV_KEY_SIZE;
c->strip_session = JK_FALSE;
@@ -2375,6 +2433,8 @@
overrides->certs_indicator = base->certs_indicator;
if (!overrides->cipher_indicator)
overrides->cipher_indicator = base->cipher_indicator;
+ if (!overrides->certchain_prefix)
+ overrides->certchain_prefix = base->certchain_prefix;
if (!overrides->session_indicator)
overrides->session_indicator = base->session_indicator;
if (!overrides->key_size_indicator)
@@ -2794,7 +2854,7 @@
&jk_module);
if (conf) {
- const char *worker;
+ const char *worker;
if ((r->handler != NULL) && (!strcmp(r->handler, JK_HANDLER))) {
/* Somebody already set the handler, probably manual config
* or "native" configuration, no need for extra overhead
Modified: tomcat/connectors/trunk/jk/native/common/jk_global.h
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_global.h?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_global.h (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_global.h Mon Mar 19 00:08:28 2007
@@ -249,6 +249,7 @@
#define JK_OPT_FLUSHPACKETS 0x0020
#define JK_OPT_FLUSHEADER 0x0040
#define JK_OPT_DISABLEREUSE 0x0080
+#define JK_OPT_FWDCERTCHAIN 0x0100
/* Check for EBCDIC systems */
Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Mon Mar 19 00:08:28 2007
@@ -26,6 +26,10 @@
<br />
<subsection name="Native">
<changelog>
+ <update>
+ Apache. Add ForwardSSLCertChain JkOption.
+ Contributed by Patrik Schnellmann. (mturk)
+ </update>
<fix>
IIS. Do not forbid access to web-inf or meta-inf if there is
no mapped worker. This allows to have resource with those names
Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=519858&r1=519857&r2=519858
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Mon Mar 19 00:08:28 2007
@@ -188,6 +188,12 @@
<br/>
The default value is "SSL_CIPHER".
</p></attribute>
+<attribute name="JkCERTCHAINPrefix" required="false"><p>
+Name of the Apache environment (prefix) that contains SSL client chain certificates.
+<br/>
+The default value is "SSL_CLIENT_CERT_CHAIN_".
+</p></attribute>
+</p></attribute>
<attribute name="JkSESSIONIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL session.
<br/>
@@ -576,6 +582,25 @@
<source>
JkOptions +ForwardKeySize
+</source>
+
+<br/>
+<br/>
+</p>
+
+<p>
+JkOptions <b>ForwardSSLCertChain</b>, you ask mod_jk, when using ajp13,
+to Forward SSL certificate chain (off by default).
+Mod_jk only passes the <code>SSL_CLIENT_CERT</code> to the AJP connector. This is not a
+problem with self-signed certificates or certificates directly signed by the
+root CA certificate. However, there's a large number of certificates signed by
+an intermediate CA certificate, where this is a significant problem: A servlet
+will not have the possibility to validate the client certificate on its own. The
+bug would be fixed by passing on the <code>SSL_CLIENT_CERT_CHAIN</code> to Tomcat via the AJP connector.
+<br/>
+This directive exists only since version 1.2.22.
+<source>
+ JkOptions +ForwardSSLCertChain
</source>
<br/>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org