Mailing List Archive: Apache: Users

Possible to add edited version of SSL_CLIENT_CERT variable to request header?

Index | Next | Previous | View Threaded

ohaya at cox

Apr 4, 2012, 3:27 PM

Post #1 of 5 (317 views)
Permalink

Possible to add edited version of SSL_CLIENT_CERT variable to request header?

Hi,

I am using Apache (2.2.x) as a proxy. The Apache is enabled for 2-way/client-authenticated SSL.

In one situation (in a specific <Location> section), I need to be able to pass the PEM of the client certificate to the proxied server, with a specific HTTP header name.

I've actually been able to pass the raw PEM as an HTTP header using just the RequestHeader directive:

RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"

But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" strings before and after the actual certificate PEM.

I've been trying to figure out how to get just the certificate PEM into the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try that, I always end up with an empty string or null in the header.

Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT envvar, it seems like there SHOULD be a way to get that into a request header, but I haven't been able to do that yet, and am truly stumped, so I was hoping that someone here might know how to do that?

Thanks in advance,
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

icicimov at gmail

Apr 4, 2012, 11:04 PM

Post #2 of 5 (303 views)
Permalink

Re: Possible to add edited version of SSL_CLIENT_CERT variable to request header? [In reply to]

Those lines are part of the PEM certificate without them the cert is not
valid. What is the problem on the backend side with this?

On Thu, Apr 5, 2012 at 8:27 AM, <ohaya [at] cox> wrote:

> Hi,
>
> I am using Apache (2.2.x) as a proxy. The Apache is enabled for
> 2-way/client-authenticated SSL.
>
> In one situation (in a specific <Location> section), I need to be able to
> pass the PEM of the client certificate to the proxied server, with a
> specific HTTP header name.
>
> I've actually been able to pass the raw PEM as an HTTP header using just
> the RequestHeader directive:
>
> RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"
>
> But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> CERTIFICATE-----" strings before and after the actual certificate PEM.
>
> I've been trying to figure out how to get just the certificate PEM into
> the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> that, I always end up with an empty string or null in the header.
>
> Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> envvar, it seems like there SHOULD be a way to get that into a request
> header, but I haven't been able to do that yet, and am truly stumped, so I
> was hoping that someone here might know how to do that?
>
> Thanks in advance,
> Jim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>

ohaya at cox

Apr 5, 2012, 6:06 AM

Post #3 of 5 (301 views)
Permalink

Re: Possible to add edited version of SSL_CLIENT_CERT variable to request header? [In reply to]

Igor,

The backend (Weblogic) won't accept/parse it. I am sure, because in one test I did, I had a RequestHeader with a canned PEM string, without them, and that worked.

Jim

---- Igor Cicimov <icicimov [at] gmail> wrote:
> Those lines are part of the PEM certificate without them the cert is not
> valid. What is the problem on the backend side with this?
>
>
> On Thu, Apr 5, 2012 at 8:27 AM, <ohaya [at] cox> wrote:
>
> > Hi,
> >
> > I am using Apache (2.2.x) as a proxy. The Apache is enabled for
> > 2-way/client-authenticated SSL.
> >
> > In one situation (in a specific <Location> section), I need to be able to
> > pass the PEM of the client certificate to the proxied server, with a
> > specific HTTP header name.
> >
> > I've actually been able to pass the raw PEM as an HTTP header using just
> > the RequestHeader directive:
> >
> > RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"
> >
> > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > CERTIFICATE-----" strings before and after the actual certificate PEM.
> >
> > I've been trying to figure out how to get just the certificate PEM into
> > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > that, I always end up with an empty string or null in the header.
> >
> > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > envvar, it seems like there SHOULD be a way to get that into a request
> > header, but I haven't been able to do that yet, and am truly stumped, so I
> > was hoping that someone here might know how to do that?
> >
> > Thanks in advance,
> > Jim
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe [at] httpd
> > For additional commands, e-mail: users-help [at] httpd
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

kbobb at deloitte

Apr 5, 2012, 1:22 PM

Post #4 of 5 (301 views)
Permalink

RE: Possible to add edited version of SSL_CLIENT_CERT variable to request header? [In reply to]

Igor,
Just out of curiosity. Are you using other .pem files in other <location> blocks?

-----Original Message-----
From: ohaya [at] cox [mailto:ohaya [at] cox]
Sent: Thursday, April 05, 2012 9:07 AM
To: users [at] httpd
Cc: Igor Cicimov
Subject: Re: [users [at] http] Possible to add edited version of SSL_CLIENT_CERT variable to request header?

Igor,

The backend (Weblogic) won't accept/parse it. I am sure, because in one test I did, I had a RequestHeader with a canned PEM string, without them, and that worked.

Jim

---- Igor Cicimov <icicimov [at] gmail> wrote:
> Those lines are part of the PEM certificate without them the cert is not
> valid. What is the problem on the backend side with this?
>
>
> On Thu, Apr 5, 2012 at 8:27 AM, <ohaya [at] cox> wrote:
>
> > Hi,
> >
> > I am using Apache (2.2.x) as a proxy. The Apache is enabled for
> > 2-way/client-authenticated SSL.
> >
> > In one situation (in a specific <Location> section), I need to be able to
> > pass the PEM of the client certificate to the proxied server, with a
> > specific HTTP header name.
> >
> > I've actually been able to pass the raw PEM as an HTTP header using just
> > the RequestHeader directive:
> >
> > RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"
> >
> > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > CERTIFICATE-----" strings before and after the actual certificate PEM.
> >
> > I've been trying to figure out how to get just the certificate PEM into
> > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > that, I always end up with an empty string or null in the header.
> >
> > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > envvar, it seems like there SHOULD be a way to get that into a request
> > header, but I haven't been able to do that yet, and am truly stumped, so I
> > was hoping that someone here might know how to do that?
> >
> > Thanks in advance,
> > Jim
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe [at] httpd
> > For additional commands, e-mail: users-help [at] httpd
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Т��ХF�V�7V'67&�&R�R��âW6W'2�V�7V'67&�&T�GGB�6�R��&pФf�"FF�F��6��G2�R��âW6W'2ֆV��GGB�6�R��&p�

ohaya at cox

Apr 7, 2012, 9:33 AM

Post #5 of 5 (308 views)
Permalink

Re: Possible to add edited version of SSL_CLIENT_CERT variable to request header? [In reply to]

Hi,

I noticed from the archives that there was response/question from"Bobb, Kirth Andre " that i missed:

"Igor,
Just out of curiosity. Are you using other .pem files in other <location> blocks?"

I'm assuming that that question was actually for me (the OP)...

In answer to that: No, I don't have any PEM files in any other <:Location> blocks.

Also, I wanted to give some more background for why I'm trying to do this:

WebLogic comes with its own connector/Apache module for connecting from Apache-to-WebLogic backend. Its' called the "WebLogic Plugin for Apache". That plugin, when configured correctly sends an additional header to the WebLogic server, "WL-Proxy-Client-Cert", with JUST the PEM as one big string, with no new lines and the "BEGIN" and "END" strings removed.

We normally use that plugin, but have encountered a problem where when we use that for proxying certain URLs, we get really long response times (>10 seconds). In some cases, not involving proxying 2-way SSL, when I switched from using the WebLogic Plugin to mod_proxy, those long response times goes away, so I was hoping that if I could use mod_proxy in this (2-way) SSL case, to WebLogic, we could eliminate those long response times.

However, in this case now, I am.trying to proxy 2-way SSL (at the 'front' of the Apache, so when I try to use mod_proxy instead of the WL Plugin, I have to try to "simulate" the headers that the WL Plugin would normally send to the WebLogic server, and in particular. that "WL-Proxy-Client-Cert" header, containing only the actual PEM string.

So, anyway, that is WHY I'm trying to do this.

Thanks,
Jim

---- ohaya [at] cox wrote:
> Igor,
>
> The backend (Weblogic) won't accept/parse it. I am sure, because in one test I did, I had a RequestHeader with a canned PEM string, without them, and that worked.
>
> Jim
>
>
> ---- Igor Cicimov <icicimov [at] gmail> wrote:
> > Those lines are part of the PEM certificate without them the cert is not
> > valid. What is the problem on the backend side with this?
> >
> >
> > On Thu, Apr 5, 2012 at 8:27 AM, <ohaya [at] cox> wrote:
> >
> > > Hi,
> > >
> > > I am using Apache (2.2.x) as a proxy. The Apache is enabled for
> > > 2-way/client-authenticated SSL.
> > >
> > > In one situation (in a specific <Location> section), I need to be able to
> > > pass the PEM of the client certificate to the proxied server, with a
> > > specific HTTP header name.
> > >
> > > I've actually been able to pass the raw PEM as an HTTP header using just
> > > the RequestHeader directive:
> > >
> > > RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"
> > >
> > > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > > CERTIFICATE-----" strings before and after the actual certificate PEM.
> > >
> > > I've been trying to figure out how to get just the certificate PEM into
> > > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > > that, I always end up with an empty string or null in the header.
> > >
> > > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > > envvar, it seems like there SHOULD be a way to get that into a request
> > > header, but I haven't been able to do that yet, and am truly stumped, so I
> > > was hoping that someone here might know how to do that?
> > >
> > > Thanks in advance,
> > > Jim
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe [at] httpd
> > > For additional commands, e-mail: users-help [at] httpd
> > >
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads