You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Christian Folini <ch...@netnea.com> on 2005/12/12 20:17:53 UTC
Problems with SSL environment variable SSL_CLIENT_CERT as http header
Hello,
This question has been sent to the user mailinglist first
without provoking a reply. From the beginning i thought
it was rather a question for the developers.
In fact i am not sure i encountered a bug or a missing
feature.
I am configuring apache 2.0.54 as a revproxy that handles
authentication based on client certificates.
Now my customer running the backend application requests to see
the client certificates as a whole.
After googling around i stumbled over a new method mentioned
by Brian Hughes on the users mailinglist
http://mail-archives.apache.org/mod_mbox/httpd-users/200506.mbox/%3C529e02882227c3dcb217b7b1b41c0715@alum.dartmouth.org%3E
This works fine for almost all the SSL variables mentioned
at http://www.modssl.org/docs/2.8/ssl_reference.html#ToC24
However, i only get the first line of the certificate in
SSL_CLIENT_CERT while the client certificate has multiple lines.
Unfortunately, the user wants to have exactly this item and
not the single line variables...
Maybe i am not really used to certificates. Maybe i expect
too much of mod_rewrite. But generally i thought http headers
could be repeated, so it should basically be possible to get
the whole file into the headers.
So the question is: Is this a missing feature or a bug? Does it
ring a bell? Or is there someone who can point out a better way,
how to pass on the certificate to the backend application?
best regards,
Christian
--
Christian Folini - <ch...@netnea.com>
Re: Problems with SSL environment variable SSL_CLIENT_CERT as http header
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Dec 12, 2005 at 08:17:53PM +0100, Christian Folini wrote:
> I am configuring apache 2.0.54 as a revproxy that handles
> authentication based on client certificates.
> Now my customer running the backend application requests to see
> the client certificates as a whole.
With 2.2.0 it is possible to forward the SSL_CLIENT_CERT variable from
the proxy to the backend using mod_headers, e.g:
Header set X-SSL-Client-Cert %{SSL_CLIENT_CERT}s
but this cannot preserve the PEM format of the SSL_CLIENT_CERT variable
precisely, so the backend will have to expect and cope with whitespace
changes appropriately.
Regards,
joe