RE : RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.

[ni...@accenture.com]

I changed the Jk directive to point to the HTTP_SSL_CLIENT_CERT variable.
It does not work. In fact, it seems that the variable forwarded through the header is not exactly the same as the one exported by mod_ssl :
here is the perl printenv :
 
 
HTTP_HOST="172.20.8.17:8445"
HTTP_KEEP_ALIVE="300"
HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD VQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMSUwIwYDVQQKExxDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eSwgSW5jMScwJQYDVQQLEx5DbGllbnQgY2VydGlmaWNhdGlvbiBh dXRob3JpdHkxEjAQBgNVBAMTCUNsaWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2xp ZW50X2NhQGNhLmNvbTAeFw0wNDAxMjgxMjEwMzBaFw0wNTAxMjcxMjEwMzBaMIGI MQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5l czEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxGDAWBgNVBAMUD0ZyYW7nb2lzIFBp Z25vbjEiMCAGCSqGSIb3DQEJARYTZnBpZ25vbkBob3RtYWlsLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAt7wimDsCaynG4LkOqAMmw/IGux4VjnuR854/ k3uEi9/0JpuIstl/ZapSRbQGXqEVUczgxreV3WzRkKygGL+v11JZKaHERmuclFF3 5+HnxGFm94OjAP2ruYvu/hSoToZXubABIdGvvTXvdGOebKdeGgGM6WmzWOxFyQ4y iJTVbwMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNAgaR2N1ehIrDv8hpypd4Q9aQ 0fycSwHPbJbxRCifHw1i28QAOGy8fen7TNhc6haTwUG2TctxyguhxylqnG/qiOvy rfwOPF175DIVueM7hE73+x0eflCziL1QDPOEDPSOY5IDIJMpUX+6Haxy6l3N3JQq GvheL/tRVr3eYH6yQA== -----END CERTIFICATE----- "
HTTP_TEST="ETSTSETSETSETSTSE"
HTTP_TESTHEADER="D=744 t=1078231011168118 Test sur la transmission de variables d'environnement dans le Header : Variable TOTO = toto"
HTTP_USER_AGENT="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
MOD_PERL="mod_perl/1.99_12"
SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_CERT="-----BEGIN CERTIFICATE-----\nMIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD\nVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMSUwIwYDVQQKExxDZXJ0aWZpY2F0aW9u\nIEF1dGhvcml0eSwgSW5jMScwJQYDVQQLEx5DbGllbnQgY2VydGlmaWNhdGlvbiBh\ndXRob3JpdHkxEjAQBgNVBAMTCUNsaWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2xp\nZW50X2NhQGNhLmNvbTAeFw0wNDAxMjgxMjEwMzBaFw0wNTAxMjcxMjEwMzBaMIGI\nMQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5l\nczEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxGDAWBgNVBAMUD0ZyYW7nb2lzIFBp\nZ25vbjEiMCAGCSqGSIb3DQEJARYTZnBpZ25vbkBob3RtYWlsLmNvbTCBnzANBgkq\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAt7wimDsCaynG4LkOqAMmw/IGux4VjnuR854/\nk3uEi9/0JpuIstl/ZapSRbQGXqEVUczgxreV3WzRkKygGL+v11JZKaHERmuclFF3\n5+HnxGFm94OjAP2ruYvu/hSoToZXubABIdGvvTXvdGOebKdeGgGM6WmzWOxFyQ4y\niJTVbwMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNAgaR2N1ehIrDv8hpypd4Q9aQ\n0fycSwHPbJbxRCifHw1i28QAOGy8fen7TNhc6haTwUG2TctxyguhxylqnG/qiOvy\nrfwOPF175DIVueM7hE73+x0eflCziL1QDPOEDPSOY5IDIJMpUX+6Haxy6l3N3JQq\nGvheL/tRVr3eYH6yQA==\n-----END CERTIFICATE-----\n"
SSL_CLIENT_I_DN="/C=FR/ST=IDF/L=Paris/O=Certification Authority, Inc/OU=Client certification authority/CN=Client CA/Email=client_ca@ca.com"

If you have a look at the two variables : SSL_CLIENT_CERT exported by mod_ssl and HTTP_SSL_CLIENT_CERT exported by mod_header.
There are not exactly identical : HTTP_SSL_CLIENT_CERT is missing the \n which must confuse mod_jk.
Nicolas.
 
 
 
 
 
 
 
 

	-------- Message d'origine-------- 
	De: Joe Orton [mailto:jorton@redhat.com] 
	Date: mar. 02/03/2004 12:15 
	À: users@httpd.apache.org 
	Cc: 
	Objet: Re: RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.
	
	

	Thanks for testing the patch, Nicolas.
	
	On Tue, Mar 02, 2004 at 12:05:12PM +0100, nicolas.villoutreix@accenture.com wrote:
	> I have just a small probleme remaining, i do get the client certificate as an environment variable from the RequestHeader: 
	> HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD VQQ
	> 
	> But mod_jk expects an environment variable named SSL_CLIENT_CERT,
	> is there an easy way to rename or create this new variable using the content of the first variable,
	
	Google says you can configure mod_jk to pick up the client cert from a
	different variable, have you tried that: i.e.
	
	  JkCERTSIndicator HTTP_SSL_CLIENT_CERT
	
	> I saw you post an other fix : http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/metadata/mod_headers.c?r1=1.49&r2=1.50
	> In what way is it better than the first one? Is it because you do not have to tell mod_ssl to export variables?
	
	Yes: there is a lot of overhead when using: "SSLOptions +ExportCertData
	+StdEnvVars" - with the fix I committed, on your proxy you don't need to
	enable those settings, just use %{...}s in the RequestHeader directives
	to pass on the few specific SSL variables from mod_ssl.
	
	Regards,
	
	joe
	



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org