mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a problem with self-signed certificates or certificates directly signed by the root CA certificate. However, there's a large number of certificates signed by an intermediate CA certificate, where this is a significant problem: A servlet will not have the possibility to validate the client certificate on its own. The bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP connector.
Created attachment 18332 [details] Patch for jakarta-tomcat-connectors-1.2.15
Created attachment 18458 [details] Patch for jakarta-tomcat-connectors-1.2.15 Optional forwarding of SSL client certificate chain can be enabled using the Directive "JkOptions ForwardSSLCertChain".
The problem is that the patch can cause AJP packet size overflow. It will be applied when we resolve the AJP 8k header and 0x9999 single header value limitation.
Created attachment 19447 [details] Patch for tomcat-connectors-1.2.20
Since version 1.2.19, the header package size limit of 8k is not an issue anymore. Therefore this patch has become a topic a again (together with the patch for bug #39637).
Commited, thanks.