|Summary:||AJP13 connector does not handle chain of SSL client certificate|
|Product:||Tomcat 5||Reporter:||Patrik Schnellmann <schnellmann>|
|Component:||Connector:AJP||Assignee:||Tomcat Developers Mailing List <dev>|
|Bug Depends on:||39636|
Patch for tomcat-5.5.17
Patch for tomcat-5.5.23
Patch for tomcat-6.0.10
Updated 6.0.x patch
Updated 5.5.x patch
Description Patrik Schnellmann 2006-05-23 07:38:13 UTC
The AJP connector only handles the first certificate of the SSL client certificate (chain). With the attached patch, all the certificates in the chain will be handled and will be exposed as javax.security.cert.X509Certificate .
Comment 1 Patrik Schnellmann 2006-05-23 07:39:09 UTC
Created attachment 18333 [details] Patch for tomcat-5.5.17
Comment 2 Jess Holle 2006-05-23 07:47:37 UTC
Given mod_jk's 8K total header limit I'd think that this should be an optional setting unless/until the 8K limit is removed (which as I understand it will have to wait until AJP 1.4). We've already had a customer who had to use Apache options to remove the Referer information prior to mod_jk's involvement so as to stay under the 8K barrier -- and this was without this patch.
Comment 3 Patrik Schnellmann 2006-06-14 20:49:33 UTC
The 8k limit for the header information is really a problem. The mod_jk patch for Bug #39636 addresses this problem by introducing a JKOption (ForwardSSLCertChain) which allows you to enable forwarding of the SSL Client Cert Chain. Additionally, if you only need client authentication for a certain virtual host / directory, only use ExportCertData (no StdEnvVars and the like).
Comment 4 Mladen Turk 2007-03-19 00:21:00 UTC
The patch has wrong formatting. I have commited the native part (#39636), but we would need the patch for both 5.5.x and 6.x branches, as well as for APR connector. Can you do that?
Comment 5 Patrik Schnellmann 2007-03-25 01:52:19 UTC
Created attachment 19793 [details] Patch for tomcat-5.5.23 The patch is for JK and APR, I tested the JK connector, but didn't have the resources to test it on APR.
Comment 6 Patrik Schnellmann 2007-03-25 01:52:49 UTC
Created attachment 19794 [details] Patch for tomcat-6.0.10
Comment 7 Mark Thomas 2009-07-05 07:35:41 UTC
*** This bug has been marked as a duplicate of bug 37869 ***
Comment 8 Patrik Schnellmann 2009-07-05 22:33:03 UTC
This bug (39637) and https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 are not the same issue. This one has been filed for the JK connector while #37869 has been filed for the HTTP connector.
Comment 9 Mark Thomas 2009-07-09 15:57:50 UTC
Created attachment 23951 [details] Updated 6.0.x patch Updated px ch. Line number changes only
Comment 10 Mark Thomas 2009-07-09 15:59:59 UTC
Created attachment 23952 [details] Updated 5.5.x patch Updates line numbers. Adds fix for Coyote AJP APR/native connector.
Comment 11 Mark Thomas 2009-07-09 16:03:51 UTC
Thanks for the patches. The updated versions have been proposed for 5.5.x and 6.0.x. Note trunk had already been patched.
Comment 12 Mark Thomas 2009-07-16 13:42:37 UTC
This has been applied to 6.0.x and will be included in 6.0.21 onwards.
Comment 13 Mark Thomas 2009-07-17 03:58:45 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.