You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Antonio Fiol Bonnín <fi...@terra.es> on 2003/06/14 11:58:11 UTC

Client authentication with X509 certificate (Apache web server+mod_jk+Tomcat 4.1.24) not working

Hello,

I have been struggling with a strange problem:

Using Apache Web server (1.3.23 - 1.3.26, not tested others).
Using mod_jk (EAPI version, recent download).
On a Linux machine.

Using tomcat 4.1.24
Both on solaris and on Linux.

When Apache is configured with
SSLClientVerify optional
or
SSLClientVerify require

Mod_jk is correctly configured (see why I say that later).

Tomcat is configured with an AJP13 context, and responding well.

PROBLEM: Client certificate cannot be obtained from the application.
PROBLEM: In fact, there is an IOException *before* calling the servlet.
PROBLEM: When tomcat is reconstructing the certificate. I get:
           Insufficient data          ...or...
           too big

WORKAROUND: I found that the same configuration on Tomcat 4.1.9 is 
working perfectly.


I have been studying the differences between 4.1.9 and 4.1.24 and I have 
seen that certificate handling is done in very different places in the 
code (it has moved).

Does anybody have an idea of what can have broken this?

I am willing to submit a patch and/or do more investigation, so that 
this problem id fixed on 4.1.25 when it comes out.

Yours sincerely,

Antonio Fiol

Re: Client authentication with X509 certificate (Apache web server+mod_jk+Tomcat 4.1.24) not working

Posted by Antonio Fiol Bonnín <fi...@terra.es>.

Hello,

What a relief!!

And I've seen that the patch for this bug is a one-liner... I will try 
to backport it to the stock 4.1.24 we were willing to use.

Do you have an idea of the approx. release date for 4.1.25?

Thank you very much for your help.


Antonio Fiol


Bill Barker wrote:

>It's a known problem.  See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790 for more details.  It is fixed in the CVS, and so will work in 4.1.25.
>
>"Antonio Fiol Bonnín" <fi...@terra.es> wrote in message news:3EEAF1B3.8040307@terra.es...
>  
>
>>Hello,
>>
>>I have been struggling with a strange problem:
>>
>>Using Apache Web server (1.3.23 - 1.3.26, not tested others).
>>Using mod_jk (EAPI version, recent download).
>>On a Linux machine.
>>
>>Using tomcat 4.1.24
>>Both on solaris and on Linux.
>>
>>When Apache is configured with
>>SSLClientVerify optional
>>or
>>SSLClientVerify require
>>
>>Mod_jk is correctly configured (see why I say that later).
>>
>>Tomcat is configured with an AJP13 context, and responding well.
>>
>>PROBLEM: Client certificate cannot be obtained from the application.
>>PROBLEM: In fact, there is an IOException *before* calling the servlet.
>>PROBLEM: When tomcat is reconstructing the certificate. I get:
>>           Insufficient data          ...or...
>>           too big
>>
>>WORKAROUND: I found that the same configuration on Tomcat 4.1.9 is 
>>working perfectly.
>>
>>
>>I have been studying the differences between 4.1.9 and 4.1.24 and I have 
>>seen that certificate handling is done in very different places in the 
>>code (it has moved).
>>
>>Does anybody have an idea of what can have broken this?
>>
>>I am willing to submit a patch and/or do more investigation, so that 
>>this problem id fixed on 4.1.25 when it comes out.
>>
>>Yours sincerely,
>>
>>Antonio Fiol
>>    
>>
>
>  
>

Re: Client authentication with X509 certificate (Apache web server+mod_jk+Tomcat 4.1.24) not working

Posted by Bill Barker <wb...@wilshire.com>.

It's a known problem.  See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790 for more details.  It is fixed in the CVS, and so will work in 4.1.25.

"Antonio Fiol Bonnín" <fi...@terra.es> wrote in message news:3EEAF1B3.8040307@terra.es...
> Hello,
> 
> I have been struggling with a strange problem:
> 
> Using Apache Web server (1.3.23 - 1.3.26, not tested others).
> Using mod_jk (EAPI version, recent download).
> On a Linux machine.
> 
> Using tomcat 4.1.24
> Both on solaris and on Linux.
> 
> When Apache is configured with
> SSLClientVerify optional
> or
> SSLClientVerify require
> 
> Mod_jk is correctly configured (see why I say that later).
> 
> Tomcat is configured with an AJP13 context, and responding well.
> 
> PROBLEM: Client certificate cannot be obtained from the application.
> PROBLEM: In fact, there is an IOException *before* calling the servlet.
> PROBLEM: When tomcat is reconstructing the certificate. I get:
>            Insufficient data          ...or...
>            too big
> 
> WORKAROUND: I found that the same configuration on Tomcat 4.1.9 is 
> working perfectly.
> 
> 
> I have been studying the differences between 4.1.9 and 4.1.24 and I have 
> seen that certificate handling is done in very different places in the 
> code (it has moved).
> 
> Does anybody have an idea of what can have broken this?
> 
> I am willing to submit a patch and/or do more investigation, so that 
> this problem id fixed on 4.1.25 when it comes out.
> 
> Yours sincerely,
> 
> Antonio Fiol
>