Attachment #18458 for bug #39636

View | Details | Raw Unified | Return to bug 39636
Collapse All | Expand All




#define JK_OPT_FWDURIDEFAULT        JK_OPT_FWDURICOMPAT

#define JK_OPT_FWDKEYSIZE           0x0004

#define JK_OPT_FWDDIRS              0x0008
/* Forward local instead remote address */
#define JK_OPT_FWDLOCAL             0x0010
#define JK_OPT_FLUSHPACKETS         0x0020
#define JK_OPT_FWDCERTCHAIN					0x0040

/* Check for EBCDIC systems */





    int ssl_enable;
    char *https_indicator;
    char *certs_indicator;
    char *certchain_indicator;
    char *cipher_indicator;
    char *session_indicator;
    char *key_size_indicator;

                s->ssl_cert =
                    (char *)ap_table_get(r->subprocess_env,
                                         conf->certs_indicator);
								if (conf->options & JK_OPT_FWDCERTCHAIN) {
                	array_header *t = ap_table_elts(r->subprocess_env);
                	if (t && t->nelts) {
                    int i;
                    table_entry *elts = (table_entry *) t->elts;
                    array_header *certs = ap_make_array(r->pool, 1, sizeof(char *));
                    *(const char **)ap_push_array(certs) = s->ssl_cert;
                    for (i = 0; i < t->nelts; i++) {
                       if (!elts[i].key)
                           continue;
                       if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator)))
                           *(const char **)ap_push_array(certs) = elts[i].val;
                    }
                    s->ssl_cert = ap_array_pstrcat(r->pool, certs, '\0');
                	}
								}
                if (s->ssl_cert) {
                    s->ssl_cert_len = strlen(s->ssl_cert);
                    jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len);
										if (s->ssl_cert_len > 0)
											jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert);
                }
                /* Servlet 2.3 API */
                s->ssl_cipher =

}

/*
 * JkCERTCHAINIndicator Directive Handling
 *
 * JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_
 */

static const char *jk_set_certchain_indicator(cmd_parms * cmd,
                                              void *dummy, char *indicator)
{
    server_rec *s = cmd->server;
    jk_server_conf_t *conf =
        (jk_server_conf_t *) ap_get_module_config(s->module_config,
                                                  &jk_module);

    conf->certchain_indicator = ap_pstrdup(cmd->pool, indicator);
    return NULL;
}

/*
 * JkCIPHERIndicator Directive Handling
 *
 * JkCIPHERIndicator SSL_CIPHER

 *  ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
 *  ForwardURIEscaped        => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
 *  ForwardDirectories       => Forward all directory requests with no index files to Tomcat
 *  +ForwardSSLCertChain     => Forward SSL Cert Chain
 *  -ForwardSSLCertChain     => Don't Forward SSL Cert Chain (default)
 */

const char *jk_set_options(cmd_parms * cmd, void *dummy, const char *line)

        else if (!strcasecmp(w, "FlushPackets")) {
            opt = JK_OPT_FLUSHPACKETS;
        }
				else if (!strcasecmp(w, "ForwardSSLCertChain")) {
            opt = JK_OPT_FWDCERTCHAIN;
				}
        else
            return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
                              "'", NULL);

     *
     * HTTPS - indication for SSL
     * CERTS - Base64-Der-encoded client certificates.
     * CERTCHAIN - Base64-Der-encoded client chain certificates.
     * CIPHER - A string specifing the ciphers suite in use.
     * SESSION - A string specifing the current SSL session.
     * KEYSIZE - Size of Key used in dialogue (#bits are secure)

     "Name of the Apache environment that contains SSL indication"},
    {"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1,
     "Name of the Apache environment that contains SSL client certificates"},
    {"JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF, TAKE1,
     "Name of the Apache environment (prefix) that contains SSL client chain certificates"},
    {"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,
     "Name of the Apache environment that contains SSL client cipher"},
    {"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1,

     *  ForwardURICompat         => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
     *  ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
     *  ForwardURIEscaped        => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
     *  +ForwardSSLCertChain     => Forward SSL certificate chain
		 *  -ForwardSSLCertChain     => Don't forward SSL certificate chain (default)
		 */
    {"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS,
     "Set one of more options to configure the mod_jk module"},


     */
    c->https_indicator = "HTTPS";
    c->certs_indicator = "SSL_CLIENT_CERT";
    c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_";

    /*
     * The following (comented out) environment variables match apache_ssl!

        overrides->ssl_enable = base->ssl_enable;
        overrides->https_indicator = base->https_indicator;
        overrides->certs_indicator = base->certs_indicator;
        overrides->certchain_indicator = base->certchain_indicator;
        overrides->cipher_indicator = base->cipher_indicator;
        overrides->session_indicator = base->session_indicator;
        overrides->key_size_indicator = base->key_size_indicator;




    int ssl_enable;
    char *https_indicator;
    char *certs_indicator;
    char *certchain_indicator;
    char *cipher_indicator;
    char *session_indicator;    /* Servlet API 2.3 requirement */
    char *key_size_indicator;   /* Servlet API 2.3 requirement */

                s->ssl_cert =
                    (char *)apr_table_get(r->subprocess_env,
                                          conf->certs_indicator);
                if (conf->options & JK_OPT_FWDCERTCHAIN) {
                	const apr_array_header_t *t = apr_table_elts(r->subprocess_env);
									if (t && t->nelts) {
                    int i;
                    const apr_table_entry_t *elts = (const apr_table_entry_t *) t->elts;
                    apr_array_header_t *certs = apr_array_make(r->pool, 1, sizeof(char *));
                    *(const char **)apr_array_push(certs) = s->ssl_cert;
                    for (i = 0; i < t->nelts; i++) {
                        if (!elts[i].key)
                            continue;
                        if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator)))
                            *(const char **)apr_array_push(certs) = elts[i].val;
                    }
                    s->ssl_cert = apr_array_pstrcat(r->pool, certs, '\0');
									}
                }
                if (s->ssl_cert) {
                    s->ssl_cert_len = strlen(s->ssl_cert);
                   	jk_log(conf->log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len);
										if (s->ssl_cert_len > 0)
											jk_log(conf->log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert);
                }
                /* Servlet 2.3 API */
                s->ssl_cipher =

}

/*
 * JkCERTCHAINIndicator Directive Handling
 *
 * JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_
 */

static const char *jk_set_certchain_indicator(cmd_parms * cmd,
                                              void *dummy, const char *indicator)
{
    server_rec *s = cmd->server;
    jk_server_conf_t *conf =
        (jk_server_conf_t *) ap_get_module_config(s->module_config,
                                                  &jk_module);

    conf->certchain_indicator = apr_pstrdup(cmd->pool, indicator);

    return NULL;
}

/*
 * JkCIPHERIndicator Directive Handling
 *
 * JkCIPHERIndicator SSL_CIPHER

 *  ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
 *  ForwardURIEscaped        => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
 *  ForwardDirectories       => Forward all directory requests with no index files to Tomcat
 *  +ForwardSSLCertChain     => Forward SSL Cert Chain
 *  -ForwardSSLCertChain     => Don't Forward SSL Cert Chain (default)
 */

static const char *jk_set_options(cmd_parms * cmd, void *dummy,

        else if (!strcasecmp(w, "FlushPackets")) {
            opt = JK_OPT_FLUSHPACKETS;
        }
				else if (!strcasecmp(w, "ForwardSSLCertChain")) {
						opt = JK_OPT_FWDCERTCHAIN;
				}
        else
            return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
                               "'", NULL);

     *
     * HTTPS - indication for SSL
     * CERTS - Base64-Der-encoded client certificates.
     * CERTCHAIN - Base64-Der-encoded client chain certificates.
     * CIPHER - A string specifing the ciphers suite in use.
     * KEYSIZE - Size of Key used in dialogue (#bits are secure)
     * SESSION - A string specifing the current SSL session.

                  "Name of the Apache environment that contains SSL indication"),
    AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF,
                  "Name of the Apache environment that contains SSL client certificates"),
    AP_INIT_TAKE1("JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF,
                  "Name of the Apache environment (prefix) that contains SSL client chain certificates"),
    AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL,
                  RSRC_CONF,
                  "Name of the Apache environment that contains SSL client cipher"),

     *  ForwardURICompat         => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
     *  ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
     *  ForwardURIEscaped        => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
		 *  +ForwardSSLCertChain		 => Forward SSL certificate chain
		 *  -ForwardSSLCertChain     => Don't forward SSL certificate chain
     */
    AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF,
                     "Set one of more options to configure the mod_jk module"),

    c->mountcopy = JK_FALSE;
    c->was_initialized = JK_FALSE;
    c->options = JK_OPT_FWDURIDEFAULT;
		
    /*
     * By default we will try to gather SSL info.
     * Disable this functionality through JkExtractSSL

     */
    c->https_indicator = "HTTPS";
    c->certs_indicator = "SSL_CLIENT_CERT";
    c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_";

    /*
     * The following (comented out) environment variables match apache_ssl!

        overrides->ssl_enable = base->ssl_enable;
        overrides->https_indicator = base->https_indicator;
        overrides->certs_indicator = base->certs_indicator;
        overrides->certchain_indicator = base->certchain_indicator;
        overrides->cipher_indicator = base->cipher_indicator;
        overrides->session_indicator = base->session_indicator;
    }

Return to bug 39636

Lines 205-215 Link Here

(-)./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/common/jk_global.h (-1 / +1 lines)
205	#define JK_OPT_FWDURIDEFAULT JK_OPT_FWDURICOMPAT	205	#define JK_OPT_FWDURIDEFAULT JK_OPT_FWDURICOMPAT
206		206
207	#define JK_OPT_FWDKEYSIZE 0x0004	207	#define JK_OPT_FWDKEYSIZE 0x0004
208
209	#define JK_OPT_FWDDIRS 0x0008	208	#define JK_OPT_FWDDIRS 0x0008
210	/* Forward local instead remote address */	209	/* Forward local instead remote address */
211	#define JK_OPT_FWDLOCAL 0x0010	210	#define JK_OPT_FWDLOCAL 0x0010
212	#define JK_OPT_FLUSHPACKETS 0x0020	211	#define JK_OPT_FLUSHPACKETS 0x0020
		212	#define JK_OPT_FWDCERTCHAIN 0x0040
213		213
214	/* Check for EBCDIC systems */	214	/* Check for EBCDIC systems */
215		215

Lines 127-132 Link Here

(-)./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/apache-1.3/mod_jk.c (-1 / +51 lines)
127	int ssl_enable;	127	int ssl_enable;
128	char *https_indicator;	128	char *https_indicator;
129	char *certs_indicator;	129	char *certs_indicator;
		130	char *certchain_indicator;
130	char *cipher_indicator;	131	char *cipher_indicator;
131	char *session_indicator;	132	char *session_indicator;
132	char *key_size_indicator;	133	char *key_size_indicator;
Lines 563-570 Link Here
563	s->ssl_cert =	564	s->ssl_cert =
564	(char *)ap_table_get(r->subprocess_env,	565	(char *)ap_table_get(r->subprocess_env,
565	conf->certs_indicator);	566	conf->certs_indicator);
		567	if (conf->options & JK_OPT_FWDCERTCHAIN) {
		568	array_header *t = ap_table_elts(r->subprocess_env);
		569	if (t && t->nelts) {
		570	int i;
		571	table_entry elts = (table_entry ) t->elts;
		572	array_header certs = ap_make_array(r->pool, 1, sizeof(char ));
		573	(const char *)ap_push_array(certs) = s->ssl_cert;
		574	for (i = 0; i < t->nelts; i++) {
		575	if (!elts[i].key)
		576	continue;
		577	if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator)))
		578	(const char *)ap_push_array(certs) = elts[i].val;
		579	}
		580	s->ssl_cert = ap_array_pstrcat(r->pool, certs, '\0');
		581	}
		582	}
566	if (s->ssl_cert) {	583	if (s->ssl_cert) {
567	s->ssl_cert_len = strlen(s->ssl_cert);	584	s->ssl_cert_len = strlen(s->ssl_cert);
		585	jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len);
		586	if (s->ssl_cert_len > 0)
		587	jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert);
568	}	588	}
569	/* Servlet 2.3 API */	589	/* Servlet 2.3 API */
570	s->ssl_cipher =	590	s->ssl_cipher =
Lines 1408-1413 Link Here
1408	}	1428	}
1409		1429
1410	/*	1430	/*
		1431	* JkCERTCHAINIndicator Directive Handling
		1432	*
		1433	* JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_
		1434	*/
		1435
		1436	static const char jk_set_certchain_indicator(cmd_parms cmd,
		1437	void dummy, char indicator)
		1438	{
		1439	server_rec *s = cmd->server;
		1440	jk_server_conf_t *conf =
		1441	(jk_server_conf_t *) ap_get_module_config(s->module_config,
		1442	&jk_module);
		1443
		1444	conf->certchain_indicator = ap_pstrdup(cmd->pool, indicator);
		1445	return NULL;
		1446	}
		1447
		1448	/*
1411	* JkCIPHERIndicator Directive Handling	1449	* JkCIPHERIndicator Directive Handling
1412	*	1450	*
1413	* JkCIPHERIndicator SSL_CIPHER	1451	* JkCIPHERIndicator SSL_CIPHER
Lines 1471-1476 Link Here
1471	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)	1509	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
1472	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part	1510	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
1473	* ForwardDirectories => Forward all directory requests with no index files to Tomcat	1511	* ForwardDirectories => Forward all directory requests with no index files to Tomcat
		1512	* +ForwardSSLCertChain => Forward SSL Cert Chain
		1513	* -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default)
1474	*/	1514	*/
1475		1515
1476	const char jk_set_options(cmd_parms cmd, void dummy, const char line)	1516	const char jk_set_options(cmd_parms cmd, void dummy, const char line)
Lines 1519-1524 Link Here
1519	else if (!strcasecmp(w, "FlushPackets")) {	1559	else if (!strcasecmp(w, "FlushPackets")) {
1520	opt = JK_OPT_FLUSHPACKETS;	1560	opt = JK_OPT_FLUSHPACKETS;
1521	}	1561	}
		1562	else if (!strcasecmp(w, "ForwardSSLCertChain")) {
		1563	opt = JK_OPT_FWDCERTCHAIN;
		1564	}
1522	else	1565	else
1523	return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,	1566	return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
1524	"'", NULL);	1567	"'", NULL);
Lines 1663-1668 Link Here
1663	*	1706	*
1664	* HTTPS - indication for SSL	1707	* HTTPS - indication for SSL
1665	* CERTS - Base64-Der-encoded client certificates.	1708	* CERTS - Base64-Der-encoded client certificates.
		1709	* CERTCHAIN - Base64-Der-encoded client chain certificates.
1666	* CIPHER - A string specifing the ciphers suite in use.	1710	* CIPHER - A string specifing the ciphers suite in use.
1667	* SESSION - A string specifing the current SSL session.	1711	* SESSION - A string specifing the current SSL session.
1668	* KEYSIZE - Size of Key used in dialogue (#bits are secure)	1712	* KEYSIZE - Size of Key used in dialogue (#bits are secure)
Lines 1671-1676 Link Here
1671	"Name of the Apache environment that contains SSL indication"},	1715	"Name of the Apache environment that contains SSL indication"},
1672	{"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1,	1716	{"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1,
1673	"Name of the Apache environment that contains SSL client certificates"},	1717	"Name of the Apache environment that contains SSL client certificates"},
		1718	{"JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF, TAKE1,
		1719	"Name of the Apache environment (prefix) that contains SSL client chain certificates"},
1674	{"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,	1720	{"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1,
1675	"Name of the Apache environment that contains SSL client cipher"},	1721	"Name of the Apache environment that contains SSL client cipher"},
1676	{"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1,	1722	{"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1,
Lines 1688-1694 Link Here
1688	* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)	1734	* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
1689	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)	1735	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
1690	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part	1736	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
1691	*/	1737	* +ForwardSSLCertChain => Forward SSL certificate chain
		1738	* -ForwardSSLCertChain => Don't forward SSL certificate chain (default)
		1739	*/
1692	{"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS,	1740	{"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS,
1693	"Set one of more options to configure the mod_jk module"},	1741	"Set one of more options to configure the mod_jk module"},
1694		1742
Lines 1896-1901 Link Here
1896	*/	1944	*/
1897	c->https_indicator = "HTTPS";	1945	c->https_indicator = "HTTPS";
1898	c->certs_indicator = "SSL_CLIENT_CERT";	1946	c->certs_indicator = "SSL_CLIENT_CERT";
		1947	c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_";
1899		1948
1900	/*	1949	/*
1901	* The following (comented out) environment variables match apache_ssl!	1950	* The following (comented out) environment variables match apache_ssl!
Lines 1960-1965 Link Here
1960	overrides->ssl_enable = base->ssl_enable;	2009	overrides->ssl_enable = base->ssl_enable;
1961	overrides->https_indicator = base->https_indicator;	2010	overrides->https_indicator = base->https_indicator;
1962	overrides->certs_indicator = base->certs_indicator;	2011	overrides->certs_indicator = base->certs_indicator;
		2012	overrides->certchain_indicator = base->certchain_indicator;
1963	overrides->cipher_indicator = base->cipher_indicator;	2013	overrides->cipher_indicator = base->cipher_indicator;
1964	overrides->session_indicator = base->session_indicator;	2014	overrides->session_indicator = base->session_indicator;
1965	overrides->key_size_indicator = base->key_size_indicator;	2015	overrides->key_size_indicator = base->key_size_indicator;

Lines 170-175 Link Here

(-)./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/apache-2.0/mod_jk.c (-1 / +52 lines)
170	int ssl_enable;	170	int ssl_enable;
171	char *https_indicator;	171	char *https_indicator;
172	char *certs_indicator;	172	char *certs_indicator;
		173	char *certchain_indicator;
173	char *cipher_indicator;	174	char *cipher_indicator;
174	char session_indicator; / Servlet API 2.3 requirement */	175	char session_indicator; / Servlet API 2.3 requirement */
175	char key_size_indicator; / Servlet API 2.3 requirement */	176	char key_size_indicator; / Servlet API 2.3 requirement */
Lines 603-610 Link Here
603	s->ssl_cert =	604	s->ssl_cert =
604	(char *)apr_table_get(r->subprocess_env,	605	(char *)apr_table_get(r->subprocess_env,
605	conf->certs_indicator);	606	conf->certs_indicator);
		607	if (conf->options & JK_OPT_FWDCERTCHAIN) {
		608	const apr_array_header_t *t = apr_table_elts(r->subprocess_env);
		609	if (t && t->nelts) {
		610	int i;
		611	const apr_table_entry_t elts = (const apr_table_entry_t ) t->elts;
		612	apr_array_header_t certs = apr_array_make(r->pool, 1, sizeof(char ));
		613	(const char *)apr_array_push(certs) = s->ssl_cert;
		614	for (i = 0; i < t->nelts; i++) {
		615	if (!elts[i].key)
		616	continue;
		617	if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator)))
		618	(const char *)apr_array_push(certs) = elts[i].val;
		619	}
		620	s->ssl_cert = apr_array_pstrcat(r->pool, certs, '\0');
		621	}
		622	}
606	if (s->ssl_cert) {	623	if (s->ssl_cert) {
607	s->ssl_cert_len = strlen(s->ssl_cert);	624	s->ssl_cert_len = strlen(s->ssl_cert);
		625	jk_log(conf->log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len);
		626	if (s->ssl_cert_len > 0)
		627	jk_log(conf->log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert);
608	}	628	}
609	/* Servlet 2.3 API */	629	/* Servlet 2.3 API */
610	s->ssl_cipher =	630	s->ssl_cipher =
Lines 1433-1438 Link Here
1433	}	1453	}
1434		1454
1435	/*	1455	/*
		1456	* JkCERTCHAINIndicator Directive Handling
		1457	*
		1458	* JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_
		1459	*/
		1460
		1461	static const char jk_set_certchain_indicator(cmd_parms cmd,
		1462	void dummy, const char indicator)
		1463	{
		1464	server_rec *s = cmd->server;
		1465	jk_server_conf_t *conf =
		1466	(jk_server_conf_t *) ap_get_module_config(s->module_config,
		1467	&jk_module);
		1468
		1469	conf->certchain_indicator = apr_pstrdup(cmd->pool, indicator);
		1470
		1471	return NULL;
		1472	}
		1473
		1474	/*
1436	* JkCIPHERIndicator Directive Handling	1475	* JkCIPHERIndicator Directive Handling
1437	*	1476	*
1438	* JkCIPHERIndicator SSL_CIPHER	1477	* JkCIPHERIndicator SSL_CIPHER
Lines 1501-1506 Link Here
1501	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)	1540	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
1502	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part	1541	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
1503	* ForwardDirectories => Forward all directory requests with no index files to Tomcat	1542	* ForwardDirectories => Forward all directory requests with no index files to Tomcat
		1543	* +ForwardSSLCertChain => Forward SSL Cert Chain
		1544	* -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default)
1504	*/	1545	*/
1505		1546
1506	static const char jk_set_options(cmd_parms cmd, void *dummy,	1547	static const char jk_set_options(cmd_parms cmd, void *dummy,
Lines 1550-1555 Link Here
1550	else if (!strcasecmp(w, "FlushPackets")) {	1591	else if (!strcasecmp(w, "FlushPackets")) {
1551	opt = JK_OPT_FLUSHPACKETS;	1592	opt = JK_OPT_FLUSHPACKETS;
1552	}	1593	}
		1594	else if (!strcasecmp(w, "ForwardSSLCertChain")) {
		1595	opt = JK_OPT_FWDCERTCHAIN;
		1596	}
1553	else	1597	else
1554	return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,	1598	return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w,
1555	"'", NULL);	1599	"'", NULL);
Lines 1700-1705 Link Here
1700	*	1744	*
1701	* HTTPS - indication for SSL	1745	* HTTPS - indication for SSL
1702	* CERTS - Base64-Der-encoded client certificates.	1746	* CERTS - Base64-Der-encoded client certificates.
		1747	* CERTCHAIN - Base64-Der-encoded client chain certificates.
1703	* CIPHER - A string specifing the ciphers suite in use.	1748	* CIPHER - A string specifing the ciphers suite in use.
1704	* KEYSIZE - Size of Key used in dialogue (#bits are secure)	1749	* KEYSIZE - Size of Key used in dialogue (#bits are secure)
1705	* SESSION - A string specifing the current SSL session.	1750	* SESSION - A string specifing the current SSL session.
Lines 1708-1713 Link Here
1708	"Name of the Apache environment that contains SSL indication"),	1753	"Name of the Apache environment that contains SSL indication"),
1709	AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF,	1754	AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF,
1710	"Name of the Apache environment that contains SSL client certificates"),	1755	"Name of the Apache environment that contains SSL client certificates"),
		1756	AP_INIT_TAKE1("JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF,
		1757	"Name of the Apache environment (prefix) that contains SSL client chain certificates"),
1711	AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL,	1758	AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL,
1712	RSRC_CONF,	1759	RSRC_CONF,
1713	"Name of the Apache environment that contains SSL client cipher"),	1760	"Name of the Apache environment that contains SSL client cipher"),
Lines 1728-1733 Link Here
1728	* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)	1775	* ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC)
1729	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)	1776	* ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC)
1730	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part	1777	* ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part
		1778	* +ForwardSSLCertChain => Forward SSL certificate chain
		1779	* -ForwardSSLCertChain => Don't forward SSL certificate chain
1731	*/	1780	*/
1732	AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF,	1781	AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF,
1733	"Set one of more options to configure the mod_jk module"),	1782	"Set one of more options to configure the mod_jk module"),
Lines 2057-2063 Link Here
2057	c->mountcopy = JK_FALSE;	2106	c->mountcopy = JK_FALSE;
2058	c->was_initialized = JK_FALSE;	2107	c->was_initialized = JK_FALSE;
2059	c->options = JK_OPT_FWDURIDEFAULT;	2108	c->options = JK_OPT_FWDURIDEFAULT;
2060		2109
2061	/*	2110	/*
2062	* By default we will try to gather SSL info.	2111	* By default we will try to gather SSL info.
2063	* Disable this functionality through JkExtractSSL	2112	* Disable this functionality through JkExtractSSL
Lines 2069-2074 Link Here
2069	*/	2118	*/
2070	c->https_indicator = "HTTPS";	2119	c->https_indicator = "HTTPS";
2071	c->certs_indicator = "SSL_CLIENT_CERT";	2120	c->certs_indicator = "SSL_CLIENT_CERT";
		2121	c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_";
2072		2122
2073	/*	2123	/*
2074	* The following (comented out) environment variables match apache_ssl!	2124	* The following (comented out) environment variables match apache_ssl!
Lines 2138-2143 Link Here
2138	overrides->ssl_enable = base->ssl_enable;	2188	overrides->ssl_enable = base->ssl_enable;
2139	overrides->https_indicator = base->https_indicator;	2189	overrides->https_indicator = base->https_indicator;
2140	overrides->certs_indicator = base->certs_indicator;	2190	overrides->certs_indicator = base->certs_indicator;
		2191	overrides->certchain_indicator = base->certchain_indicator;
2141	overrides->cipher_indicator = base->cipher_indicator;	2192	overrides->cipher_indicator = base->cipher_indicator;
2142	overrides->session_indicator = base->session_indicator;	2193	overrides->session_indicator = base->session_indicator;
2143	}	2194	}