You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Christian Folini <ch...@netnea.com> on 2005/12/12 20:17:53 UTC

Problems with SSL environment variable SSL_CLIENT_CERT as http header

Hello,

This question has been sent to the user mailinglist first
without provoking a reply. From the beginning i thought
it was rather a question for the developers.

In fact i am not sure i encountered a bug or a missing
feature.

I am configuring apache 2.0.54 as a revproxy that handles 
authentication based on client certificates.
Now my customer running the backend application requests to see
the client certificates as a whole.

After googling around i stumbled over a new method mentioned
by Brian Hughes on the users mailinglist
http://mail-archives.apache.org/mod_mbox/httpd-users/200506.mbox/%3C529e02882227c3dcb217b7b1b41c0715@alum.dartmouth.org%3E

This works fine for almost all the SSL variables mentioned
at http://www.modssl.org/docs/2.8/ssl_reference.html#ToC24

However, i only get the first line of the certificate in 
SSL_CLIENT_CERT while the client certificate has multiple lines. 
Unfortunately, the user wants to have exactly this item and 
not the single line variables...

Maybe i am not really used to certificates. Maybe i expect
too much of mod_rewrite. But generally i thought http headers
could be repeated, so it should basically be possible to get
the whole file into the headers.

So the question is: Is this a missing feature or a bug? Does it
ring a bell? Or is there someone who can point out a better way, 
how to pass on the certificate to the backend application?

best regards,

Christian

-- 
Christian Folini - <ch...@netnea.com>

Re: Problems with SSL environment variable SSL_CLIENT_CERT as http header

Posted by Joe Orton <jo...@redhat.com>.

On Mon, Dec 12, 2005 at 08:17:53PM +0100, Christian Folini wrote:
> I am configuring apache 2.0.54 as a revproxy that handles 
> authentication based on client certificates.
> Now my customer running the backend application requests to see
> the client certificates as a whole.

With 2.2.0 it is possible to forward the SSL_CLIENT_CERT variable from 
the proxy to the backend using mod_headers, e.g:

  Header set X-SSL-Client-Cert %{SSL_CLIENT_CERT}s

but this cannot preserve the PEM format of the SSL_CLIENT_CERT variable 
precisely, so the backend will have to expect and cope with whitespace 
changes appropriately.

Regards,

joe