ASF Bugzilla – Attachment 18458 Details for
Bug 39636
mod_jk does not pass SSL client certificate chain to AJP connector
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for jakarta-tomcat-connectors-1.2.15
mod_jk-apache-certchain.patch (text/plain), 12.37 KB, created by
Patrik Schnellmann
on 2006-06-14 05:20:12 UTC
(
hide
)
Description:
Patch for jakarta-tomcat-connectors-1.2.15
Filename:
MIME Type:
Creator:
Patrik Schnellmann
Created:
2006-06-14 05:20:12 UTC
Size:
12.37 KB
patch
obsolete
>--- ./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/common/jk_global.h 2005-06-14 17:44:22.000000000 +0200 >+++ ./jakarta-tomcat-connectors-1.2.15-src/jk/native/common/jk_global.h 2006-05-26 14:14:33.000000000 +0200 >@@ -205,11 +205,11 @@ > #define JK_OPT_FWDURIDEFAULT JK_OPT_FWDURICOMPAT > > #define JK_OPT_FWDKEYSIZE 0x0004 >- > #define JK_OPT_FWDDIRS 0x0008 > /* Forward local instead remote address */ > #define JK_OPT_FWDLOCAL 0x0010 > #define JK_OPT_FLUSHPACKETS 0x0020 >+#define JK_OPT_FWDCERTCHAIN 0x0040 > > /* Check for EBCDIC systems */ > >--- ./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/apache-1.3/mod_jk.c 2005-08-08 07:14:00.000000000 +0200 >+++ ./jakarta-tomcat-connectors-1.2.15-src/jk/native/apache-1.3/mod_jk.c 2006-06-07 17:18:45.000000000 +0200 >@@ -127,6 +127,7 @@ > int ssl_enable; > char *https_indicator; > char *certs_indicator; >+ char *certchain_indicator; > char *cipher_indicator; > char *session_indicator; > char *key_size_indicator; >@@ -563,8 +564,27 @@ > s->ssl_cert = > (char *)ap_table_get(r->subprocess_env, > conf->certs_indicator); >+ if (conf->options & JK_OPT_FWDCERTCHAIN) { >+ array_header *t = ap_table_elts(r->subprocess_env); >+ if (t && t->nelts) { >+ int i; >+ table_entry *elts = (table_entry *) t->elts; >+ array_header *certs = ap_make_array(r->pool, 1, sizeof(char *)); >+ *(const char **)ap_push_array(certs) = s->ssl_cert; >+ for (i = 0; i < t->nelts; i++) { >+ if (!elts[i].key) >+ continue; >+ if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator))) >+ *(const char **)ap_push_array(certs) = elts[i].val; >+ } >+ s->ssl_cert = ap_array_pstrcat(r->pool, certs, '\0'); >+ } >+ } > if (s->ssl_cert) { > s->ssl_cert_len = strlen(s->ssl_cert); >+ jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len); >+ if (s->ssl_cert_len > 0) >+ jk_log(conf->log ? conf->log : main_log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert); > } > /* Servlet 2.3 API */ > s->ssl_cipher = >@@ -1408,6 +1428,24 @@ > } > > /* >+ * JkCERTCHAINIndicator Directive Handling >+ * >+ * JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_ >+ */ >+ >+static const char *jk_set_certchain_indicator(cmd_parms * cmd, >+ void *dummy, char *indicator) >+{ >+ server_rec *s = cmd->server; >+ jk_server_conf_t *conf = >+ (jk_server_conf_t *) ap_get_module_config(s->module_config, >+ &jk_module); >+ >+ conf->certchain_indicator = ap_pstrdup(cmd->pool, indicator); >+ return NULL; >+} >+ >+/* > * JkCIPHERIndicator Directive Handling > * > * JkCIPHERIndicator SSL_CIPHER >@@ -1471,6 +1509,8 @@ > * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) > * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part > * ForwardDirectories => Forward all directory requests with no index files to Tomcat >+ * +ForwardSSLCertChain => Forward SSL Cert Chain >+ * -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default) > */ > > const char *jk_set_options(cmd_parms * cmd, void *dummy, const char *line) >@@ -1519,6 +1559,9 @@ > else if (!strcasecmp(w, "FlushPackets")) { > opt = JK_OPT_FLUSHPACKETS; > } >+ else if (!strcasecmp(w, "ForwardSSLCertChain")) { >+ opt = JK_OPT_FWDCERTCHAIN; >+ } > else > return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w, > "'", NULL); >@@ -1663,6 +1706,7 @@ > * > * HTTPS - indication for SSL > * CERTS - Base64-Der-encoded client certificates. >+ * CERTCHAIN - Base64-Der-encoded client chain certificates. > * CIPHER - A string specifing the ciphers suite in use. > * SESSION - A string specifing the current SSL session. > * KEYSIZE - Size of Key used in dialogue (#bits are secure) >@@ -1671,6 +1715,8 @@ > "Name of the Apache environment that contains SSL indication"}, > {"JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, TAKE1, > "Name of the Apache environment that contains SSL client certificates"}, >+ {"JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF, TAKE1, >+ "Name of the Apache environment (prefix) that contains SSL client chain certificates"}, > {"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1, > "Name of the Apache environment that contains SSL client cipher"}, > {"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1, >@@ -1688,7 +1734,9 @@ > * ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC) > * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) > * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part >- */ >+ * +ForwardSSLCertChain => Forward SSL certificate chain >+ * -ForwardSSLCertChain => Don't forward SSL certificate chain (default) >+ */ > {"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS, > "Set one of more options to configure the mod_jk module"}, > >@@ -1896,6 +1944,7 @@ > */ > c->https_indicator = "HTTPS"; > c->certs_indicator = "SSL_CLIENT_CERT"; >+ c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_"; > > /* > * The following (comented out) environment variables match apache_ssl! >@@ -1960,6 +2009,7 @@ > overrides->ssl_enable = base->ssl_enable; > overrides->https_indicator = base->https_indicator; > overrides->certs_indicator = base->certs_indicator; >+ overrides->certchain_indicator = base->certchain_indicator; > overrides->cipher_indicator = base->cipher_indicator; > overrides->session_indicator = base->session_indicator; > overrides->key_size_indicator = base->key_size_indicator; >--- ./jakarta-tomcat-connectors-1.2.15-src_orig/jk/native/apache-2.0/mod_jk.c 2005-09-21 15:59:50.000000000 +0200 >+++ ./jakarta-tomcat-connectors-1.2.15-src/jk/native/apache-2.0/mod_jk.c 2006-05-26 14:30:47.000000000 +0200 >@@ -170,6 +170,7 @@ > int ssl_enable; > char *https_indicator; > char *certs_indicator; >+ char *certchain_indicator; > char *cipher_indicator; > char *session_indicator; /* Servlet API 2.3 requirement */ > char *key_size_indicator; /* Servlet API 2.3 requirement */ >@@ -603,8 +604,27 @@ > s->ssl_cert = > (char *)apr_table_get(r->subprocess_env, > conf->certs_indicator); >+ if (conf->options & JK_OPT_FWDCERTCHAIN) { >+ const apr_array_header_t *t = apr_table_elts(r->subprocess_env); >+ if (t && t->nelts) { >+ int i; >+ const apr_table_entry_t *elts = (const apr_table_entry_t *) t->elts; >+ apr_array_header_t *certs = apr_array_make(r->pool, 1, sizeof(char *)); >+ *(const char **)apr_array_push(certs) = s->ssl_cert; >+ for (i = 0; i < t->nelts; i++) { >+ if (!elts[i].key) >+ continue; >+ if (!strncasecmp(elts[i].key, conf->certchain_indicator, strlen(conf->certchain_indicator))) >+ *(const char **)apr_array_push(certs) = elts[i].val; >+ } >+ s->ssl_cert = apr_array_pstrcat(r->pool, certs, '\0'); >+ } >+ } > if (s->ssl_cert) { > s->ssl_cert_len = strlen(s->ssl_cert); >+ jk_log(conf->log, JK_LOG_DEBUG, "length of SSL client certificate: %d bytes", s->ssl_cert_len); >+ if (s->ssl_cert_len > 0) >+ jk_log(conf->log, JK_LOG_DEBUG, ", dump follows:\n%s", s->ssl_cert); > } > /* Servlet 2.3 API */ > s->ssl_cipher = >@@ -1433,6 +1453,25 @@ > } > > /* >+ * JkCERTCHAINIndicator Directive Handling >+ * >+ * JkCERTCHAINIndicator SSL_CLIENT_CERT_CHAIN_ >+ */ >+ >+static const char *jk_set_certchain_indicator(cmd_parms * cmd, >+ void *dummy, const char *indicator) >+{ >+ server_rec *s = cmd->server; >+ jk_server_conf_t *conf = >+ (jk_server_conf_t *) ap_get_module_config(s->module_config, >+ &jk_module); >+ >+ conf->certchain_indicator = apr_pstrdup(cmd->pool, indicator); >+ >+ return NULL; >+} >+ >+/* > * JkCIPHERIndicator Directive Handling > * > * JkCIPHERIndicator SSL_CIPHER >@@ -1501,6 +1540,8 @@ > * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) > * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part > * ForwardDirectories => Forward all directory requests with no index files to Tomcat >+ * +ForwardSSLCertChain => Forward SSL Cert Chain >+ * -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default) > */ > > static const char *jk_set_options(cmd_parms * cmd, void *dummy, >@@ -1550,6 +1591,9 @@ > else if (!strcasecmp(w, "FlushPackets")) { > opt = JK_OPT_FLUSHPACKETS; > } >+ else if (!strcasecmp(w, "ForwardSSLCertChain")) { >+ opt = JK_OPT_FWDCERTCHAIN; >+ } > else > return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w, > "'", NULL); >@@ -1700,6 +1744,7 @@ > * > * HTTPS - indication for SSL > * CERTS - Base64-Der-encoded client certificates. >+ * CERTCHAIN - Base64-Der-encoded client chain certificates. > * CIPHER - A string specifing the ciphers suite in use. > * KEYSIZE - Size of Key used in dialogue (#bits are secure) > * SESSION - A string specifing the current SSL session. >@@ -1708,6 +1753,8 @@ > "Name of the Apache environment that contains SSL indication"), > AP_INIT_TAKE1("JkCERTSIndicator", jk_set_certs_indicator, NULL, RSRC_CONF, > "Name of the Apache environment that contains SSL client certificates"), >+ AP_INIT_TAKE1("JkCERTCHAINIndicator", jk_set_certchain_indicator, NULL, RSRC_CONF, >+ "Name of the Apache environment (prefix) that contains SSL client chain certificates"), > AP_INIT_TAKE1("JkCIPHERIndicator", jk_set_cipher_indicator, NULL, > RSRC_CONF, > "Name of the Apache environment that contains SSL client cipher"), >@@ -1728,6 +1775,8 @@ > * ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC) > * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) > * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part >+ * +ForwardSSLCertChain => Forward SSL certificate chain >+ * -ForwardSSLCertChain => Don't forward SSL certificate chain > */ > AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF, > "Set one of more options to configure the mod_jk module"), >@@ -2057,7 +2106,7 @@ > c->mountcopy = JK_FALSE; > c->was_initialized = JK_FALSE; > c->options = JK_OPT_FWDURIDEFAULT; >- >+ > /* > * By default we will try to gather SSL info. > * Disable this functionality through JkExtractSSL >@@ -2069,6 +2118,7 @@ > */ > c->https_indicator = "HTTPS"; > c->certs_indicator = "SSL_CLIENT_CERT"; >+ c->certchain_indicator = "SSL_CLIENT_CERT_CHAIN_"; > > /* > * The following (comented out) environment variables match apache_ssl! >@@ -2138,6 +2188,7 @@ > overrides->ssl_enable = base->ssl_enable; > overrides->https_indicator = base->https_indicator; > overrides->certs_indicator = base->certs_indicator; >+ overrides->certchain_indicator = base->certchain_indicator; > overrides->cipher_indicator = base->cipher_indicator; > overrides->session_indicator = base->session_indicator; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18458">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 39636
:
18332
|
18458
|
19447