Home / server / Questions / 248797
Accepted
hooknc
Asked: 2011-03-18 14:12:04 +0800 CST

Apache not Forwarding Client x509 Certificate to Tomcat via mod_proxy

  • 772

I am having difficulties getting a client x509 certificate to be forwarded to Tomcat from Apache using mod_proxy.

From observations and reading a few logs it does seem as though the client x509 certificate is being accepted by Apache. But, when Apache makes an SSL request to Tomcat (which has clientAuth="want"), it doesn't look like the client x509 certificate is passed during the ssl handshake.

Is there a reasonable way to see what Apache is doing with the client x509 certificate during its handshake with Tomcat?

Here is the environment I'm working with: Apache/2.2.3 Tomcat/6.0.29 Java/6.0_23 OpenSSL 0.9.8e

Here is my Apache VirtualHost SSL config:

<VirtualHost xxx.xxx.xxx.xxx:443>

ServerName xxx
ServerAlias xxx

SSLEngine On 
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /usr/local/certificates/xxx.crt
SSLCertificateKeyFile /usr/local/certificates/xxx.key

SSLCertificateChainFile /usr/local/certificates/xxx.crt

SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

<Proxy *>
  AddDefaultCharset Off
  Order deny,allow
  Allow from all
</Proxy>

ProxyPass / https://xxx.xxx.xxx.xxx:8443/
ProxyPassReverse / https://xxx.xxx.xxx.xxx:8443/

</VirtualHost>

Then here is my Tomcat SSL Connector:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" address="xxx.xxx.xxx.xxx"
                maxThreads="150" scheme="https" secure="true"
                keystoreFile="/usr/local/certificates/xxx.jks" keypass="xxx_pwd"
                clientAuth="want" sslProtocol="TLSv1" proxyName="xxx.xxx.xxx.xxx" proxyPort="443"
 />

Could there possibly be issues with SSL Renegotiation?

Could there be problems with the Truststore in our Tomcat instance? (We are using a non-standard Truststore that has partner organization CAs.)

Is there better logging for what is happening internally with Apache for SSL? Like what is happening to the client cert or why it isn't forwarding the certificate when tomcats asks for one?

Any reasonable assistance would be greatly appreciated.

Thank you for your time.

tomcat apache-2.2 ssl x509

1 Answers

  1. Best Answer

    Apache is generating a brand new SSL session for the connection to the backend tomcat server, so the client certificate data isn't passed; the system with the cert isn't the client anymore.

    If you're ok with an unencrypted connection between Apache and the Tomcat device, then using an AJP proxy connection (ProxyPass / ajp://x.x.x.x:8009/) instead of SSL, and adding an SSLOptions +ExportCertData directive in Apache, should pass the certificate data to Tomcat. There more info on passing certificate information here.

    • 5