Bug 39636

Summary: mod_jk does not pass SSL client certificate chain to AJP connector
Product: Tomcat Connectors Reporter: Patrik Schnellmann <schnellmann>
Component: CommonAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal CC: bzasf
Priority: P2 Keywords: PatchAvailable
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: other   
Bug Depends on:    
Bug Blocks: 39637    
Attachments: Patch for jakarta-tomcat-connectors-1.2.15
Patch for jakarta-tomcat-connectors-1.2.15
Patch for tomcat-connectors-1.2.20

Description Patrik Schnellmann 2006-05-23 07:26:33 UTC 
mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a
problem with self-signed certificates or certificates directly signed by the
root CA certificate. However, there's a large number of certificates signed by
an intermediate CA certificate, where this is a significant problem: A servlet
will not have the possibility to validate the client certificate on its own. The
bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP
connector.
Comment 1 Patrik Schnellmann 2006-05-23 07:28:04 UTC 
Created attachment 18332 [details]
Patch for jakarta-tomcat-connectors-1.2.15
Comment 2 Patrik Schnellmann 2006-06-14 05:20:12 UTC 
Created attachment 18458 [details]
Patch for jakarta-tomcat-connectors-1.2.15

Optional forwarding of SSL client certificate chain can be enabled using the
Directive "JkOptions ForwardSSLCertChain".
Comment 3 Mladen Turk 2006-07-09 09:32:32 UTC 
The problem is that the patch can cause AJP packet size overflow.
It will be applied when we resolve the AJP 8k header and 0x9999
single header value limitation.
Comment 4 Patrik Schnellmann 2007-01-24 03:34:47 UTC 
Created attachment 19447 [details]
Patch for tomcat-connectors-1.2.20
Comment 5 Patrik Schnellmann 2007-01-24 03:47:08 UTC 
Since version 1.2.19, the header package size limit of 8k is not an issue
anymore. Therefore this patch has become a topic a again (together with the
patch for bug #39637).
Comment 6 Mladen Turk 2007-03-19 00:21:07 UTC 
Commited, thanks.