You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Marc Boorshtein <mb...@gmail.com> on 2011/05/24 16:56:44 UTC
JkExtractSSL not sending SSL information to tomcat
I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
correct SSLOptions in the httpd configuration files. I can see the
SSL environment variables in /cgi-bin/printenv but no headers or
environment variables in the backend tomcat app. Am I missing
something?
Thanks
Marc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 5:37 PM, Christopher Schultz wrote:
> Looking at the mod_jk code, it appears that the only variables that are
> included by using JkExtractSSL are those shown above. If you want more,
> you'll have to use JkEnvVar.
>
> I can confirm that "JkEnvVar SSL_PROTOCOL" will result in
> request.getAttribute("SSL_PROTOCOL") returning "TLSv1" or whatever
> secure protocol is in use for the current request.
I have clarified this in the mod_jk documentation in the trunk, so it
will be available in the documentation in the next release.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3cLlIACgkQ9CaO5/Lv0PDb4gCfYpKsqWz0o6ufEdeT59rPwyS0
EhwAoIdLD6/XRwwcYJJq6dE2YDW3D7ao
=95l/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 5:20 PM, Christopher Schultz wrote:
> On 5/24/2011 4:59 PM, Christopher Schultz wrote:
>> Instead, they are stored in the request /attributes/.
>
> Specifically, these:
>
> javax.servlet.request.cipher_suite - as a String
> javax.servlet.request.key_size - as an Integer
> javax.servlet.request.ssl_session - as a String
The above are specified as part of the Servlet 3.0 Specification under
section 3.8. Not shown above (because I wasn't using a client
certificate for testing) is "javax.servlet.request.X509Certificate"
which is of type java.security.cert.X509Certificate[] (note the array type).
> I would have expected JkExtractSSL On (which is the default) to
> pre-populate a series of SSL-oriented attributes similar to the list
> found at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars but
> that doesn't appear to be the case
Looking at the mod_jk code, it appears that the only variables that are
included by using JkExtractSSL are those shown above. If you want more,
you'll have to use JkEnvVar.
I can confirm that "JkEnvVar SSL_PROTOCOL" will result in
request.getAttribute("SSL_PROTOCOL") returning "TLSv1" or whatever
secure protocol is in use for the current request.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3cJSkACgkQ9CaO5/Lv0PDBaACgjr4EKI49IyBMyObzwUHHFStm
VGEAnj2Yxu99GrYC+qvbIPfoSGcjXc+o
=FrAY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 4:59 PM, Christopher Schultz wrote:
> Instead, they are stored in the request /attributes/.
Specifically, these:
javax.servlet.request.cipher_suite - as a String
javax.servlet.request.key_size - as an Integer
javax.servlet.request.ssl_session - as a String
I'm not sure if you can get the SSL protocol (e.g. "SSLv3" vs. "TLSv1")
unless you use JkEnvVar to have mod_jk take the http-side's SSL_PROTOCOL
environment variable and send it over to Tomcat like this:
JkEnvVar SSL_PROTOCOL
Then you can get the protocol using request.getAttribute("SSL_PROTOCOL").
I would have expected JkExtractSSL On (which is the default) to
pre-populate a series of SSL-oriented attributes similar to the list
found at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars but
that doesn't appear to be the case -- at least, the attributes cannot be
found under request.getAttribute("SSL_CIPHER"), etc. even when requested
directly (the mod_jk documentation says explicitly that these attribute
names will *not* be included in those returned by
request.getAttributeNames).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3cIRkACgkQ9CaO5/Lv0PDt5wCfTd4cBJsxLLCL+87k72nmcpur
yV0AnRgb2Wr0tNnoRs8m6MKa7f6axmx2
=SvNT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Rainer Jung <ra...@kippdata.de>.
On 25.05.2011 15:18, Christopher Schultz wrote:
> André,
>
> On 5/24/2011 7:13 PM, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Marc,
>>>
>>> On 5/24/2011 10:56 AM, Marc Boorshtein wrote:
>>>> I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
>>>> Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
>>>> correct SSLOptions in the httpd configuration files. I can see the
>>>> SSL environment variables in /cgi-bin/printenv but no headers or
>>>> environment variables in the backend tomcat app. Am I missing
>>>> something?
>>>
>>> Something just tickled my brain, here: you said "environment variables
>>> or headers". The data stored in environment variables on the Apache
>>> httpd side are neither stored in environment variables (since the
>>> environment is shared, and a multi-threaded server would never work) nor
>>> in request headers (because that's not really appropriate).
>>>
>>> Instead, they are stored in the request /attributes/.
>>>
>>> Unfortunately, the mod_jk documentation doesn't make that clear. I'll
>>> try to find a reference, even if it's only in the source code.
>>>
>> Checkup JkEnvVar.
>> http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0
>
> Yeah, except that JkEnvVar puts the environment variable FOO into the
> request attribute "FOO", while JkExtractSSL puts them under attribute
> keys defined by the servlet specification. That was not clear at all
> from the existing documentation (at least not without having read the
> servlet spec as well and drawing a logical conclusion).
Being late here, I used to suggest taking a look at
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 5/24/2011 7:13 PM, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Marc,
>>
>> On 5/24/2011 10:56 AM, Marc Boorshtein wrote:
>>> I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
>>> Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
>>> correct SSLOptions in the httpd configuration files. I can see the
>>> SSL environment variables in /cgi-bin/printenv but no headers or
>>> environment variables in the backend tomcat app. Am I missing
>>> something?
>>
>> Something just tickled my brain, here: you said "environment variables
>> or headers". The data stored in environment variables on the Apache
>> httpd side are neither stored in environment variables (since the
>> environment is shared, and a multi-threaded server would never work) nor
>> in request headers (because that's not really appropriate).
>>
>> Instead, they are stored in the request /attributes/.
>>
>> Unfortunately, the mod_jk documentation doesn't make that clear. I'll
>> try to find a reference, even if it's only in the source code.
>>
> Checkup JkEnvVar.
> http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0
Yeah, except that JkEnvVar puts the environment variable FOO into the
request attribute "FOO", while JkExtractSSL puts them under attribute
keys defined by the servlet specification. That was not clear at all
from the existing documentation (at least not without having read the
servlet spec as well and drawing a logical conclusion).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3dAZcACgkQ9CaO5/Lv0PA08wCfZlOWEIntLxU+GIN7uqh2KAYk
SSoAnjrm3uykVbrlv9btssKqrAabWg9P
=Uy36
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marc,
>
> On 5/24/2011 10:56 AM, Marc Boorshtein wrote:
>> I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
>> Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
>> correct SSLOptions in the httpd configuration files. I can see the
>> SSL environment variables in /cgi-bin/printenv but no headers or
>> environment variables in the backend tomcat app. Am I missing
>> something?
>
> Something just tickled my brain, here: you said "environment variables
> or headers". The data stored in environment variables on the Apache
> httpd side are neither stored in environment variables (since the
> environment is shared, and a multi-threaded server would never work) nor
> in request headers (because that's not really appropriate).
>
> Instead, they are stored in the request /attributes/.
>
> Unfortunately, the mod_jk documentation doesn't make that clear. I'll
> try to find a reference, even if it's only in the source code.
>
Checkup JkEnvVar.
http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0
Funny, that..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 10:56 AM, Marc Boorshtein wrote:
> I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
> Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
> correct SSLOptions in the httpd configuration files. I can see the
> SSL environment variables in /cgi-bin/printenv but no headers or
> environment variables in the backend tomcat app. Am I missing
> something?
Something just tickled my brain, here: you said "environment variables
or headers". The data stored in environment variables on the Apache
httpd side are neither stored in environment variables (since the
environment is shared, and a multi-threaded server would never work) nor
in request headers (because that's not really appropriate).
Instead, they are stored in the request /attributes/.
Unfortunately, the mod_jk documentation doesn't make that clear. I'll
try to find a reference, even if it's only in the source code.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3cHB8ACgkQ9CaO5/Lv0PBvmQCgjvNNbcH+Bq7kYKu5mLBtcKXn
tHYAoJyJgNWUL+9qsUtStvZukjdjyySF
=bpQP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 4:13 PM, Marc Boorshtein wrote:
>> Marc,
>>
>> On 5/24/2011 11:39 AM, Marc Boorshtein wrote:
>>> SSLOptions +StdEnvVars
>>> SSLOptions +ExportCertData
>>>
>>> JkExtractSSL On
>>>
>>> <VirtualHost _default_:9443>
>>
>> I'm not entirely sure about the JkExtractSSL option, but some other
>> mod_jk options are not copied into all virtual hosts. You might want to
>> try moving the JkExtractSSL directive into (each of) your virtual host(s).
>
> No changes. I looked at a wireshark trace and no ssl information was sent
:(
I've definitely gotten mod_jk to send the SSL certificate information
over to Tomcat in the past, and I don't recall any herculean measures
required to do so.
See here for a recap of my efforts to get client-certs working in Tomcat:
http://markmail.org/message/kzxsamuiu6bldjmv
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3cGygACgkQ9CaO5/Lv0PCQrgCfTrXNCtbgsZkJB/DsBNye9isf
1ywAmgJ/uFmay4Kw/2BB/ZPgaUat9w8z
=ZHda
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Marc Boorshtein <mb...@gmail.com>.
> Marc,
>
> On 5/24/2011 11:39 AM, Marc Boorshtein wrote:
>> SSLOptions +StdEnvVars
>> SSLOptions +ExportCertData
>>
>> JkExtractSSL On
>>
>> <VirtualHost _default_:9443>
>
> I'm not entirely sure about the JkExtractSSL option, but some other
> mod_jk options are not copied into all virtual hosts. You might want to
> try moving the JkExtractSSL directive into (each of) your virtual host(s).
>
> - -chris
No changes. I looked at a wireshark trace and no ssl information was sent
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc,
On 5/24/2011 11:39 AM, Marc Boorshtein wrote:
> SSLOptions +StdEnvVars
> SSLOptions +ExportCertData
>
> JkExtractSSL On
>
> <VirtualHost _default_:9443>
I'm not entirely sure about the JkExtractSSL option, but some other
mod_jk options are not copied into all virtual hosts. You might want to
try moving the JkExtractSSL directive into (each of) your virtual host(s).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3b9E4ACgkQ9CaO5/Lv0PDqJACgnTonUznHMb9xcX4PCx7zz5Mi
tHYAmwVGYv4xlD8c9OXcylJflFppkXyX
=/Gsa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Marc Boorshtein <mb...@gmail.com>.
>
> And your SSLOptions are what exactly?
>
> Also Tomcat and mod_jk version info might be relevant.
>
oadModule jk_module modules/mod_jk.so
LoadFile "/home/sys/ssl-poc/webgate/access/oblix/lib/libgcc_s.so.1"
LoadFile "/home/sys/ssl-poc/webgate/access/oblix/lib/libstdc++.so.5"
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
JkWorkerProperty worker.list=worker1
JkWorkerProperty worker.worker1.type=ajp13
JkWorkerProperty worker.worker1.host=localhost
JkWorkerProperty worker.worker1.port=8009
JkShmFile /home/sys/ssl-poc/httpd/logs/mod_jk.shm
JkLogFile /home/sys/ssl-poc/httpd/logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkExtractSSL On
<VirtualHost _default_:9443>
WebGateMode PEER
<Location /access/oblix/apps/webgate/bin/webgate.cgi>
SetHandler obwebgateerr
</Location>
<Location "/oberr.cgi">
SetHandler obwebgateerr
</Location>
# General setup for the virtual host
DocumentRoot "/home/sys/ssl-poc/httpd/htdocs"
ServerName ws.server.net:9443
ErrorLog "/home/sys/ssl-poc/httpd/logs/error_ws_log"
TransferLog "/home/sys/ssl-poc/httpd/logs/access_ws_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/home/sys/ssl-poc/httpd/conf/server-ws.crt"
SSLCertificateKeyFile "/home/sys/ssl-poc/httpd/conf/server-ws.key"
#<FilesMatch "\.(cgi|shtml|phtml|php)$">
#
#</FilesMatch>
#<Directory "/home/sys/ssl-poc/httpd/cgi-bin">
#
#</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/home/sys/ssl-poc/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<LocationMatch "/app*">
AuthType Oblix
require valid-user
JkMount worker1
</LocationMatch>
</VirtualHost>
Thanks
Marc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Posted by Mark Thomas <ma...@apache.org>.
On 24/05/2011 15:56, Marc Boorshtein wrote:
> I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
> Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
> correct SSLOptions in the httpd configuration files.
And your SSLOptions are what exactly?
Also Tomcat and mod_jk version info might be relevant.
Mark
I can see the
> SSL environment variables in /cgi-bin/printenv but no headers or
> environment variables in the backend tomcat app. Am I missing
> something?
>
> Thanks
> Marc
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org