Bug 49123 - mod_proxy_ajp does not send the client's SSL chain certificates
Summary: mod_proxy_ajp does not send the client's SSL chain certificates
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_ajp (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2010-04-14 13:48 UTC by Paul Donohue
Modified: 2015-05-28 22:56 UTC (History)
1 user (show)



Attachments
Patch for trunk and/or 2.2.x branch (1.88 KB, application/octet-stream)
2010-04-14 13:48 UTC, Paul Donohue
Details
Patch for trunk and/or 2.2.x branch (9.49 KB, patch)
2010-04-16 11:00 UTC, Paul Donohue
Details | Diff
Patch for trunk and/or 2.2.x branch (9.64 KB, patch)
2010-04-16 11:45 UTC, Paul Donohue
Details | Diff
Patch for trunk and/or 2.2.x branch (10.20 KB, patch)
2010-05-12 18:44 UTC, Paul Donohue
Details | Diff
Patch for trunk (10.14 KB, patch)
2010-06-07 12:32 UTC, Paul Donohue
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Donohue 2010-04-14 13:48:29 UTC
Created attachment 25299 [details]
Patch for trunk and/or 2.2.x branch

mod_proxy_ajp only sends the client's SSL certificate to the AJP server. The client's chain (intermediate certificates) are not sent. This is not a problem with self-signed certificates or certificates directly signed by the root CA certificate. However, there's a large number of certificates signed by an intermediate CA certificate, where this is a significant problem: A servlet will not have the possibility to validate the client certificate on its own.

mod_jk was patched back in 2007 to allow sending all of the SSL chain certificates, but mod_proxy_ajp was not updated at the same time (See https://issues.apache.org/bugzilla/show_bug.cgi?id=39636).  In 2008, Mladen Turk mentioned he was planning to add such support to mod_proxy_ajp (See http://www.mail-archive.com/dev@httpd.apache.org/msg41676.html), but it does not look like that ever happened.

So, I'm attaching a patch which implements this functionality.

In mod_jk, this was implemented as an option that was disabled by default.  As mod_proxy_ajp does not currently have any options, I decided to skip the option and just enable this by default in mod_proxy_ajp.  I don't believe this will cause any compatibility problems, but I have not thoroughly tested this with old versions of Tomcat/Jetty/etc.  However, I will continue to do testing, and if I find compatibility problems, I will add an option to mod_proxy_ajp to control this behavior.
Comment 1 Paul Donohue 2010-04-15 07:16:04 UTC
So it didn't take much testing to determine that this cannot be enabled by default, even when used with the latest Tomcat.  A long certificate chain can easily exceed the size of the default AJP packet buffer in Tomcat, requiring a configuration change in Tomcat 5.5.20 or later, and simply breaking older versions of Tomcat.  I will add an option to control this behavior and disable it by default, and add documentation to explain the Tomcat configuration changes needed before enabling it.
Comment 2 Paul Donohue 2010-04-16 11:00:39 UTC
Created attachment 25310 [details]
Patch for trunk and/or 2.2.x branch

Attaching an updated patch which includes a new ProxyAJPForwardSSLCertChain directive (disabled by default) and updated documentation.
Comment 3 Paul Donohue 2010-04-16 11:45:35 UTC
Created attachment 25311 [details]
Patch for trunk and/or 2.2.x branch

Oops, had some typos in that last patch.
Comment 4 Paul Donohue 2010-05-12 18:44:11 UTC
Created attachment 25433 [details]
Patch for trunk and/or 2.2.x branch

Added some extra logging statements to help troubleshooting.
Comment 5 Paul Donohue 2010-06-07 12:32:45 UTC
Created attachment 25540 [details]
Patch for trunk

Updated patch to apply cleanly against the current trunk (the same patch can no longer be used for both trunk and the 2.2.x branch)
Comment 6 Paul Donohue 2011-10-24 21:42:27 UTC
As mentioned in the documentation included in the patch, note that support for processing of intermediate certificates is only available in Tomcat 5.5.28+ and 6.0.21+ (earlier versions will simply ignore the intermediate certificates in the AJP request ; see https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 and https://issues.apache.org/bugzilla/show_bug.cgi?id=39637 for details).
Comment 7 Tom Arnold 2015-05-28 22:56:46 UTC
Any chance of this getting merged?