You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ni...@accenture.com on 2004/03/02 12:05:12 UTC

RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.

Hi Jo,
thanks a lot for your fix : (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23223)
It is working perfectly, i have now the client certificate passed from one server to another through an HTTP Header.
 
                   Apache                            -------->   Apache   --------->   Tomcat
 (mod_ssl, mod_headers, mod_proxy)                (mod_jk)             (servlet can read the client certificate)
 
I have just a small probleme remaining, i do get the client certificate as an environment variable from the RequestHeader:  
HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD VQQ
 
But mod_jk expects an environment variable named SSL_CLIENT_CERT,
is there an easy way to rename or create this new variable using the content of the first variable,
i tried : SetEnv SSL_CLIENT_CERT %{HTTP_SSL_CLIENT_CERT}e
           SetEnv SSL_CLIENT_CERT %{HTTP_SSL_CLIENT_CERT}
           SetEnv SSL_CLIENT_CERT ${HTTP_SSL_CLIENT_CERT}
 
but it does not work.
 
I saw you post an other fix : http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/metadata/mod_headers.c?r1=1.49&r2=1.50
In what way is it better than the first one? Is it because you do not have to tell mod_ssl to export variables?
 
Thanks a lot Joe, i hope some day i will be able to write some fix to apache like you did, 
in the meantime, i will try to test and post some questions to improve the whole stuff.
 
Cheers,
Nicolas.
 
 
 
 
 
 
 

	-------- Message d'origine-------- 
	De: Joe Orton [mailto:jorton@redhat.com] 
	Date: ven. 27/02/2004 21:11 
	À: Villoutreix, Nicolas 
	Cc: users@httpd.apache.org 
	Objet: Re: [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.
	
	

	On Fri, Feb 06, 2004 at 01:47:35PM +0100, nicolas.villoutreix@accenture.com wrote:
	> Hi Joe,
	> for my purpose, i think the first method would be better.
	> 
	> I want to forward the ssl certificate from one apache to an other. The
	> solution i experimented was using mod_proxy and mod_headers.
	
	Nicolas, I just attached a mod_headers fix for this to the bug:
	
	http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23223
	
	Is this a workable solution for you too?
	
	Regards,
	
	joe
	



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.

Posted by Joe Orton <jo...@redhat.com>.
Thanks for testing the patch, Nicolas.

On Tue, Mar 02, 2004 at 12:05:12PM +0100, nicolas.villoutreix@accenture.com wrote:
> I have just a small probleme remaining, i do get the client certificate as an environment variable from the RequestHeader:  
> HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD VQQ
>  
> But mod_jk expects an environment variable named SSL_CLIENT_CERT,
> is there an easy way to rename or create this new variable using the content of the first variable,

Google says you can configure mod_jk to pick up the client cert from a
different variable, have you tried that: i.e.

  JkCERTSIndicator HTTP_SSL_CLIENT_CERT

> I saw you post an other fix : http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/metadata/mod_headers.c?r1=1.49&r2=1.50
> In what way is it better than the first one? Is it because you do not have to tell mod_ssl to export variables?

Yes: there is a lot of overhead when using: "SSLOptions +ExportCertData
+StdEnvVars" - with the fix I committed, on your proxy you don't need to 
enable those settings, just use %{...}s in the RequestHeader directives 
to pass on the few specific SSL variables from mod_ssl.

Regards,

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org