Bug 39636 - mod_jk does not pass SSL client certificate chain to AJP connector
Summary: mod_jk does not pass SSL client certificate chain to AJP connector
Alias: None
Product: Tomcat Connectors
Classification: Unclassified
Component: Common (show other bugs)
Version: unspecified
Hardware: All other
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Keywords: PatchAvailable
Depends on:
Blocks: 39637
  Show dependency tree
Reported: 2006-05-23 07:26 UTC by Patrik Schnellmann
Modified: 2008-10-05 03:09 UTC (History)
1 user (show)

Patch for jakarta-tomcat-connectors-1.2.15 (8.64 KB, patch)
2006-05-23 07:28 UTC, Patrik Schnellmann
Details | Diff
Patch for jakarta-tomcat-connectors-1.2.15 (12.37 KB, patch)
2006-06-14 05:20 UTC, Patrik Schnellmann
Details | Diff
Patch for tomcat-connectors-1.2.20 (12.58 KB, patch)
2007-01-24 03:34 UTC, Patrik Schnellmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrik Schnellmann 2006-05-23 07:26:33 UTC
mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a
problem with self-signed certificates or certificates directly signed by the
root CA certificate. However, there's a large number of certificates signed by
an intermediate CA certificate, where this is a significant problem: A servlet
will not have the possibility to validate the client certificate on its own. The
bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP
Comment 1 Patrik Schnellmann 2006-05-23 07:28:04 UTC
Created attachment 18332 [details]
Patch for jakarta-tomcat-connectors-1.2.15
Comment 2 Patrik Schnellmann 2006-06-14 05:20:12 UTC
Created attachment 18458 [details]
Patch for jakarta-tomcat-connectors-1.2.15

Optional forwarding of SSL client certificate chain can be enabled using the
Directive "JkOptions ForwardSSLCertChain".
Comment 3 Mladen Turk 2006-07-09 09:32:32 UTC
The problem is that the patch can cause AJP packet size overflow.
It will be applied when we resolve the AJP 8k header and 0x9999
single header value limitation.
Comment 4 Patrik Schnellmann 2007-01-24 03:34:47 UTC
Created attachment 19447 [details]
Patch for tomcat-connectors-1.2.20
Comment 5 Patrik Schnellmann 2007-01-24 03:47:08 UTC
Since version 1.2.19, the header package size limit of 8k is not an issue
anymore. Therefore this patch has become a topic a again (together with the
patch for bug #39637).
Comment 6 Mladen Turk 2007-03-19 00:21:07 UTC
Commited, thanks.