Re: [users@httpd] Proxy SSL and Client Certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Plus of course SSLOptions +ExportCertsData that exports client
certificate data into env. The question is how to make mod_proxy to
send it down to backend server.

On 9/26/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
You aren't quite right. Your statement is right for crypting part but
not for authenticating part. IE client's key is needed fo decrypting
information but client crtificate is also needed for authenticating
client.

For example mod_jk that is used for connecting Apache to Tomcat has
following options for passing SSL data from Apache to Tomcat:

JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_C
ERT)
JkCERTSIndicator SSL_CLIENT_CERT

And Tomcat sees client certificates all right after that. I'm looking
for that kind of options for mod_proxy.


On 9/26/06, Andrew E. White <aewhite@xxxxxxxx> wrote:
> By nature, certs require a private key to verify them, so if a user is passing through your web server, the client's certificate will do you no good beyond the webserver since the webserver does not have the client's private key.
>
> Andrew
>
> ----- Original Message -----
> From: Serge Dubrouski <sergeyfd@xxxxxxxxx>
> Date: Tuesday, September 26, 2006 5:12 pm
> Subject: [users@httpd] Proxy SSL and Client Certificates
> To: users@xxxxxxxxxxxxxxxx
>
> > Hello Everyone -
> >
> > I have an Apache 2.2.3 server installed with mod_proxy and mod_ssl
> > configured that I use as a frontend server in Internet. I also have
> > iPlanet backend  legasy server that runs on of our custom
> > applications. That application has embedded authentication based on
> > clients SSL Certificates. Now I want to make Apache to act as a proxy
> > server between Internet users and that backend iPlanet server. The
> > problem here is that I can't make Apache to pass submitted client
> > certificate down to iPlanet. Does anybody have any idea how to do
> > that? Simple SSLProxyEngine does not work.
> >
> > Thanks.
> >
> > Serge.
> >
> > --------------------------------------------------------------------
> > -
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.See <URL:http://httpd.apache.org/userslist.html> for more
> > info.To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux