RE: Possible to add edited version of SSL_CLIENT_CERT variable to request header?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Igor,
Just out of curiosity. Are you using other .pem files in other <location> blocks?

-----Original Message-----
From: ohaya@xxxxxxx [mailto:ohaya@xxxxxxx] 
Sent: Thursday, April 05, 2012 9:07 AM
To: users@xxxxxxxxxxxxxxxx
Cc: Igor Cicimov
Subject: Re:  Possible to add edited version of SSL_CLIENT_CERT variable to request header?

Igor,

The backend (Weblogic) won't accept/parse it.  I am sure, because in one test I did, I had a RequestHeader with a canned PEM string, without them, and that worked.

Jim


---- Igor Cicimov <icicimov@xxxxxxxxx> wrote: 
> Those lines are part of the PEM certificate without them the cert is not
> valid. What is the problem on the backend side with this?
> 
> 
> On Thu, Apr 5, 2012 at 8:27 AM, <ohaya@xxxxxxx> wrote:
> 
> > Hi,
> >
> > I am using Apache (2.2.x) as a proxy.  The Apache is enabled for
> > 2-way/client-authenticated SSL.
> >
> > In one situation (in a specific <Location> section), I need to be able to
> > pass the PEM of the client certificate to the proxied server, with a
> > specific HTTP header name.
> >
> > I've actually been able to pass the raw PEM as an HTTP header using just
> > the RequestHeader directive:
> >
> > RequestHeader    set   "my_ssl_client_cert"    "%{SSL_CLIENT_CERT}e"
> >
> > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > CERTIFICATE-----" strings before and after the actual certificate PEM.
> >
> > I've been trying to figure out how to get just the certificate PEM into
> > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > that, I always end  up with an empty string or null in the header.
> >
> > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > envvar, it seems like there SHOULD be a way to get that into a request
> > header, but I haven't been able to do that yet, and am truly stumped, so I
> > was hoping that someone here might know how to do that?
> >
> > Thanks in advance,
> > Jim
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux