Bug 39637 - AJP13 connector does not handle chain of SSL client certificate
AJP13 connector does not handle chain of SSL client certificate
Product: Tomcat 5
Classification: Unclassified
Component: Connector:AJP
All other
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
: PatchAvailable
Depends on: 39636
  Show dependency tree
Reported: 2006-05-23 07:38 UTC by Patrik Schnellmann
Modified: 2009-07-17 03:58 UTC (History)
1 user (show)

Patch for tomcat-5.5.17 (2.94 KB, patch)
2006-05-23 07:39 UTC, Patrik Schnellmann
Details | Diff
Patch for tomcat-5.5.23 (4.04 KB, patch)
2007-03-25 01:52 UTC, Patrik Schnellmann
Details | Diff
Patch for tomcat-6.0.10 (6.03 KB, patch)
2007-03-25 01:52 UTC, Patrik Schnellmann
Details | Diff
Updated 6.0.x patch (5.93 KB, application/octet-stream)
2009-07-09 15:57 UTC, Mark Thomas
Updated 5.5.x patch (6.13 KB, application/octet-stream)
2009-07-09 15:59 UTC, Mark Thomas

Note You need to log in before you can comment on or make changes to this bug.
Description Patrik Schnellmann 2006-05-23 07:38:13 UTC
The AJP connector only handles the first certificate of the SSL client
certificate (chain). With the attached patch, all the certificates in the chain
will be handled and will be exposed as javax.security.cert.X509Certificate .
Comment 1 Patrik Schnellmann 2006-05-23 07:39:09 UTC
Created attachment 18333 [details]
Patch for tomcat-5.5.17
Comment 2 Jess Holle 2006-05-23 07:47:37 UTC
Given mod_jk's 8K total header limit I'd think that this should be an optional
setting unless/until the 8K limit is removed (which as I understand it will have
to wait until AJP 1.4).

We've already had a customer who had to use Apache options to remove the Referer
information prior to mod_jk's involvement so as to stay under the 8K barrier --
and this was without this patch.
Comment 3 Patrik Schnellmann 2006-06-14 20:49:33 UTC
The 8k limit for the header information is really a problem. The mod_jk patch
for Bug #39636 addresses this problem by introducing a JKOption
(ForwardSSLCertChain) which allows you to enable forwarding of the SSL Client
Cert Chain.

Additionally, if you only need client authentication for a certain virtual host
/ directory, only use ExportCertData (no StdEnvVars and the like).

Comment 4 Mladen Turk 2007-03-19 00:21:00 UTC
The patch has wrong formatting.
I have commited the native part (#39636), but we would need the patch
for both 5.5.x and 6.x branches, as well as for APR connector.

Can you do that?
Comment 5 Patrik Schnellmann 2007-03-25 01:52:19 UTC
Created attachment 19793 [details]
Patch for tomcat-5.5.23

The patch is for JK and APR, I tested the JK connector, but didn't have the
resources to test it on APR.
Comment 6 Patrik Schnellmann 2007-03-25 01:52:49 UTC
Created attachment 19794 [details]
Patch for tomcat-6.0.10
Comment 7 Mark Thomas 2009-07-05 07:35:41 UTC

*** This bug has been marked as a duplicate of bug 37869 ***
Comment 8 Patrik Schnellmann 2009-07-05 22:33:03 UTC
This bug (39637) and  https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 are not the same issue. This one has been filed for the JK connector while #37869 has been filed for the HTTP connector.
Comment 9 Mark Thomas 2009-07-09 15:57:50 UTC
Created attachment 23951 [details]
Updated 6.0.x patch

Updated px ch. Line number changes only
Comment 10 Mark Thomas 2009-07-09 15:59:59 UTC
Created attachment 23952 [details]
Updated 5.5.x patch

Updates line numbers. Adds fix for Coyote AJP APR/native connector.
Comment 11 Mark Thomas 2009-07-09 16:03:51 UTC
Thanks for the patches. The updated versions have been proposed for 5.5.x and 6.0.x. Note trunk had already been patched.
Comment 12 Mark Thomas 2009-07-16 13:42:37 UTC
This has been applied to 6.0.x and will be included in 6.0.21 onwards.
Comment 13 Mark Thomas 2009-07-17 03:58:45 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.