SSL_CLIENT_CERT_CHAIN not being passed to backend server

Posted by nidkil on Server Fault See other posts from Server Fault or by nidkil
Published on 2012-07-08T21:40:38Z Indexed on 2012/07/09 3:17 UTC
Read the original article Hit count: 529

Filed under:
|

I have client certificate configured and working in Apache. I want to pass the PEM-encoded X.509 certificates of the client to the backend server.

I tried with the SSLOptions +ExportCertData. This does nothing at all, while the documentation states it should add SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAINn (with n = 0,1,2,..) as headers. Any ideas why this option is not working?

I then tried setting the headers myself using RequestHeader. This works fine for all variables except SSL_CLIENT_CERT_CHAIN. It shows null in the header. Any ideas why the certificate chain is not being filled?

This is my first Apache configuration:

<VirtualHost 192.168.56.100:443>
    ServerName www.test.org
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    SSLEngine on
    SSLProxyEngine on

    SSLCertificateFile     /etc/apache2/ssl/certs/www.test.org.crt
    SSLCertificateKeyFile  /etc/apache2/ssl/private/www.test.org.key
    SSLCACertificateFile   /etc/apache2/ssl/ca/ca.crt

    <Proxy *>
        AddDefaultCharset Off
        Order deny,allow
        Allow from all
    </Proxy>

    <Location /carbon>
        ProxyPass          http://www.test.org:9763/carbon
        ProxyPassReverse   http://www.test.org:9763/carbon
    </Location>

    <Location /services/GbTestProxy>
        SSLVerifyClient require
        SSLVerifyDepth  5
        SSLOptions +ExportCertData

        ProxyPass          http://www.test.org:8888/services/GbTestProxy 
        ProxyPassReverse   http://www.test.org:8888/services/GbTestProxy 
    </Location>
</VirtualHost>

This is my second Apache configuration:

<VirtualHost 192.168.56.100:443>
    ServerName www.test.org
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    SSLEngine on
    SSLProxyEngine on

    SSLCertificateFile     /etc/apache2/ssl/certs/www.test.org.crt
    SSLCertificateKeyFile  /etc/apache2/ssl/private/www.test.org.key
    SSLCACertificateFile   /etc/apache2/ssl/ca/ca.crt

    <Proxy *>
        AddDefaultCharset Off
        Order deny,allow
        Allow from all
    </Proxy>

    <Location /carbon>
        ProxyPass          http://www.test.org:9763/carbon
        ProxyPassReverse   http://www.test.org:9763/carbon
    </Location>

    <Location /services/GbTestProxy>
        SSLVerifyClient require
        SSLVerifyDepth  5

        RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
        RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
        RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
        RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
        RequestHeader set SSL_CLIENT_CERT_CHAIN0 "%{SSL_CLIENT_CERT_CHAIN0}s"
        RequestHeader set SSL_CLIENT_CERT_CHAIN1 "%{SSL_CLIENT_CERT_CHAIN1}s"
        RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

        ProxyPass          http://www.test.org:8888/services/GbTestProxy 
        ProxyPassReverse   http://www.test.org:8888/services/GbTestProxy 
    </Location>
</VirtualHost>

Hope someone can help.

Regards, nidkil

© Server Fault or respective owner

Related posts about apache2

Related posts about mod-ssl