Passing SSL client certificates via mod_proxy

Passing SSL client certificates via mod_proxy_ajp to Tomcat ...

am 16.02.2010 15:06:40 von chris.joelly

------_=_NextPart_001_01CAAF11.440658F1
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,

=20

is there a possibility to pass a SSL client certificate via =
mod_proxy_ajp=20

to Tomcat, ideally the same way mod_jk did so Tomcat is able to extract

the certificate and add it as attribute to the request?

=20

Thanks,

=20

Chris

------_=_NextPart_001_01CAAF11.440658F1
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/mee tings/" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/x ml" =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/oi s/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/di rectory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/20 02/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile " =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/partto part" =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/wor kflow/" =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsi g-setup" =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsi g" =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/200 6/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compa tibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/200 6/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/service s/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/service s/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/ SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPor talServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40">

charset=3Diso-8859-1">

Hello,

is there a possibility to pass a =
SSL client
certificate via mod_proxy_ajp

to Tomcat, ideally the same way =
mod_jk did so
Tomcat is able to extract

the certificate and add it as =
attribute to
the request?

Thanks,

Chris

------_=_NextPart_001_01CAAF11.440658F1--

SSL redirect browsers if weak encryption to a warning page

am 16.02.2010 15:50:09 von Renato Oliveira

--_000_7965A9DCF12CC14984420BCC37B1608F25A9E2D66CElzargrantc ou_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Dear all,

I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test environm=
ent)
On Production Redhat 4 Server version: Apache/2.0.52

I have been looking for a way of:
1 - Prevent browsers with lower encryption to use my site, which I can do w=
ith the two directives below
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

2 - Redirect them to a warning page

SSLRequireSSL

SSLRequire (%{SSL_PROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >=
=3D 128) or %{REQUEST_URI} =3D~ m:^/errors/:

ErrorDocument 403 /errors/403-ssl.html

When I use IE5 to access the site I get the following error:

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an =
ErrorDocument to handle the request.

------------------------------------------------------------ ---------------=
-----

Apache/2.2.3 (CentOS) Server at secure01.grant.co.uk Port 443

Bellow is my Virtual Host:
NameVirtualHost 192.168.8.40:443

Serveradmin renato.oliveira@grant.co.uk
DocumentRoot "/var/www/secure"
ServerName secure01.granted.co.uk
ErrorLog logs/secure01-error_log
CustomLog logs/secure01.granted.co.uk-access_log common
SSLEngine on

SSLRequireSSL
SSLRequire (%{SSL_PROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKEYSIZE=
} >=3D 128) or %{REQUEST_URI} =3D~ m:^/errors/:
ErrorDocument 403 "Your Browser Does not support 128 Bit Encryption=
"

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:=
-EXP

SSLCertificateFile /etc/httpd/conf/certs/server.crt
SSLCertificateKeyFile /etc/httpd/conf/certs/server.key

If anyone could help me or point to the right direction, give a clue it wou=
ld be very much appreciated.
I have search loads before posting this question here.

Thank you very much in advance

Renato

Renato Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk

Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
www.grant.co.uk

Grant Instruments (Cambridge) Ltd

Company registered in England, registration number 658133

Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK

P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is conf=
idential. It is intended only for the named recipients(s). If you are not t=
he named recipient please notify the sender immediately and do not disclose=
the contents to another person or take copies.

VIRUSES: The contents of this e-mail or attachment(s) may contain viruses w=
hich could damage your own computer system. Whilst Grant Instruments (Cambr=
idge) Ltd has taken every reasonable precaution to minimise this risk, we c=
annot accept liability for any damage which you sustain as a result of soft=
ware viruses. You should therefore carry out your own virus checks before o=
pening the attachment(s).

OpenXML: For information about the OpenXML file format in use within Grant =
Instruments please visit our website ..html>

--_000_7965A9DCF12CC14984420BCC37B1608F25A9E2D66CElzargrantc ou_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:access" xmlns:b=3D"urn:schemas-microsoft-com:office:publis=
her" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" xml=
ns:D=3D"DAV:" xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/di r=
ectory/" xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp=3D"http:=
//schemas.microsoft.com/sharepoint/dsp" xmlns:dssi=3D"http://schemas.micros=
oft.com/office/2006/digsig" xmlns:dsss=3D"http://schemas.microsoft.com/offi=
ce/2006/digsig-setup" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882=
" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" xmlns:ex12m=3D"http://sche=
mas.microsoft.com/exchange/services/2006/messages" xmlns:ex12t=3D"http://sc=
hemas.microsoft.com/exchange/services/2006/types" xmlns:html=3D"http://www.=
w3.org/TR/REC-html40" xmlns:m=3D"http://schemas.microsoft.com/office/2004/1=
2/omml" xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/200 6/digit=
al-signature" xmlns:mrels=3D"http://schemas.openxmlformats.org/package/200 6=
/relationships" xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/me=
etings/" xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compa tibili=
ty/2006" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:oa=3D"ur=
n:schemas-microsoft-com:office:activation" xmlns:odc=3D"urn:schemas-microso=
ft-com:office:odc" xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soa=
p/ois/" xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" xmlns:ppda=
=3D"http://www.passport.com/NameSpace.xsd" xmlns:pptsl=3D"http://schemas.mi=
crosoft.com/sharepoint/soap/SlideLibrary/" xmlns:q=3D"http://schemas.xmlsoa=
p.org/soap/envelope/" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" xml=
ns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:rtc=3D"http://microsoft.co=
m/officenet/conferencing" xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14=
882" xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"htt=
p://schemas.microsoft.com/sharepoint/soap/" xmlns:spsl=3D"http://microsoft.=
com/webservices/SharePointPortalServer/PublishedLinksService " xmlns:spwp=3D=
"http://microsoft.com/sharepoint/webpartpages" xmlns:ss=3D"urn:schemas-micr=
osoft-com:office:spreadsheet" xmlns:st=3D"" xmlns:sub=3D"http://schemas=
..microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:udc=3D"http://schemas.=
microsoft.com/data/udc" xmlns:udcp2p=3D"http://schemas.microsoft.com/data/u=
dc/parttopart" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" xm=
lns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:v=3D"urn:=
schemas-microsoft-com:vml" xmlns:w=3D"urn:schemas-microsoft-com:office:word=
" xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/wor kflow/" xmlns=
:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:x2=3D"http://schemas.mi=
crosoft.com/office/excel/2003/xml" xmlns:xsd=3D"http://www.w3.org/2001/XMLS=
chema" xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" xmlns:Z=3D"u=
rn:schemas-microsoft-com:"> scii" http-equiv=3D"Content-Type">
>

Dear all, an>

I am using Apache Server
version: Apache/2.2.3 on Centos 5.4 (Test environment) >

On Production Redhat 4 S=
erver
version: Apache/2.0.52

I have been looking for =
a way of:

1 – Prevent browse=
rs with
lower encryption to use my site, which I can do with the two directives bel=
ow

10.0pt;
font-family:"Courier New";color:#195065'>SSLProtocol all -SSLv2<=
/span>

10.0pt;
font-family:"Courier New";color:#195065'>SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP=

2 – Redirect them =
to a
warning page

<Directory "/">

   =

; SSLRequireSSL

    SSLRequire (%{SSL_P=

ROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKEYSIZE} >=3D 128) o=

r %{REQUEST_URI} =3D~ m:^/errors/:

    =

ErrorDocument 403 /errors/403-ssl.html

</Directory&=

gt;

windowtext 6.75pt;
padding:0cm 0cm 1.0pt 0cm'>

:#1F497D'>When
I use IE5 to access the site I get the following error: p>

Forbidden an>

You don't have permissio=
n to
access / on this server.

Additionally, a 403 Forb=
idden
error was encountered while trying to use an ErrorDocument to handle the
request.

------------------------=
--------------------------------------------------------<=
/p>

windowtext 6.75pt;
padding:0cm 0cm 1.0pt 0cm'>

:#1F497D'>Apache/2.2.3
(CentOS) Server at secure01.grant.co.uk Port 443

Bellow is my Virtual Hos=
t:

NameVirtualHost 192.168.=
8.40:443

=

Serveradmin renato.oliveira@grant.co.uk

=

DocumentRoot "/var/www/secure"

=

ServerName secure01.granted.co.uk

=

ErrorLog logs/secure01-error_log

=

CustomLog logs/secure01.granted.co.uk-access_log common p>

=

SSLEngine on

<D=
irectory
"/">

=

SSLRequireSSL

=

SSLRequire (%{SSL_PROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKEYS=
IZE}
>=3D 128) or %{REQUEST_URI} =3D~ m:^/errors/:

=

ErrorDocument 403 "Your Browser Does not support 128 Bit Encryption&qu=
ot;

</Direct=
ory>

=

SSLProtocol all -SSLv2

=

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP p>

=

SSLCertificateFile /etc/httpd/conf/certs/server.crt

=

SSLCertificateKeyFile /etc/httpd/conf/certs/server.key >

</VirtualHost> >

If anyone could help me =
or point
to the right direction, give a clue it would be very much appreciated.=

I have search loads befo=
re
posting this question here.

Thank you very much in a=
dvance

Renato=

Renato=
Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk FONT> >

Tel: +=
44 (0)1763 260811
Fax: +44 (0)1763 262410
..co.uk/">www.grant.co.uk

Grant =
Instruments (Cambridge) Ltd

Company registered in England, re=
gistration number 658133

Registered office address:
29 Stat=
ion Road,
Shepreth,
CAMBS SG8 6GB
UK

> ONT>

; COLOR: green; FONT-FAMILY: Webdings">

; COLOR: green; FONT-FAMILY: Webdings">P =3D"EN-US" STYLE=3D"FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: 'Verdana','=
sans-serif'"> OLOR: green; FONT-FAMILY: 'Arial','sans-serif'">Please consider the environ=
ment before printing this email

CONFIDENTIALITY: The =
information in this e-mail and any attachments is confidential. It is inten=
ded only for the named recipients(s). If you are not the named recipient pl=
ease notify the sender immediately and do not disclose the contents to anot=
her person or take copies.

VIRUSES: The contents=
of this e-mail or attachment(s) may contain viruses which could damage you=
r own computer system. Whilst Grant Instruments (Cambridge) Ltd has taken e=
very reasonable precaution to minimise this risk, we cannot accept liabilit=
y for any damage which you sustain as a result of software viruses. You sho=
uld therefore carry out your own virus checks before opening the attachment=
(s).

OpenXML: For informat=
ion about the OpenXML file format in use within Grant Instruments please vi=
sit our =

--_000_7965A9DCF12CC14984420BCC37B1608F25A9E2D66CElzargrantc ou_--

Re: SSL redirect browsers if weak encryption to a

am 16.02.2010 16:03:28 von Eric Covener

n Tue, Feb 16, 2010 at 9:50 AM, Renato Oliveira
wrote:
> Dear all,
>
>
>
> I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test
> environment)
>
> On Production Redhat 4 Server version: Apache/2.0.52
>
>
>
> I have been looking for a way of:
>
> 1 =96 Prevent browsers with lower encryption to use my site, which I can =
do
> with the two directives below
>
> SSLProtocol all -SSLv2
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
>
>
> 2 =96 Redirect them to a warning page
>
>
>
>   =A0 SSLRequireSSL
>
>   =A0 SSLRequire (%{SSL_PROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKE=
YSIZE} >=3D
> 128) or %{REQUEST_URI} =3D~ m:^/errors/:
>
>   =A0 ErrorDocument 403 /errors/403-ssl.html
>
>
>
>
>
> When I use IE5 to access the site I get the following error:
>
>
>
> Forbidden
>
> You don't have permission to access / on this server.
>
>
>
> Additionally, a 403 Forbidden error was encountered while trying to use a=
n
> ErrorDocument to handle the request.

Don't protect the directory with your ErrorDocuments if you know the
SSL connection is already forbidden.

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: SSL redirect browsers if weak encryption to a warning page

am 16.02.2010 17:28:07 von Renato Oliveira

Eric,

Thank you for the reply?
I am sorry I don't understand it, sorry. I don't want to protect the direct=
ory, I want to have a redirect of the 403 error to a warning page.

Do you mean for me to remove the
directive?

Thank you very much

Best regards

Renato

Renato Oliveira
Systems Administrator
e-mail: renato.oliveira@grant.co.uk

Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
http://www.grant.co.uk/

Grant Instruments (Cambridge) Ltd

Company registered in England, registration number 658133

Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK

-----Original Message-----

From: Eric Covener [mailto:covener@gmail.com]
Sent: 16 February 2010 15:03
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL redirect browsers if weak encryption to a wa=
rning page

n Tue, Feb 16, 2010 at 9:50 AM, Renato Oliveira
wrote:
> Dear all,
>
>
>
> I am using Apache Server version: Apache/2.2.3 on Centos 5.4 (Test
> environment)
>
> On Production Redhat 4 Server version: Apache/2.0.52
>
>
>
> I have been looking for a way of:
>
> 1 - Prevent browsers with lower encryption to use my site, which I can do
> with the two directives below
>
> SSLProtocol all -SSLv2
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
>
>
> 2 - Redirect them to a warning page
>
>
>
> SSLRequireSSL
>
> SSLRequire (%{SSL_PROTOCOL} !=3D "SSLv2" and %{SSL_CIPHER_USEKEYSIZE}=
>=3D
> 128) or %{REQUEST_URI} =3D~ m:^/errors/:
>
> ErrorDocument 403 /errors/403-ssl.html
>
>
>
>
>
> When I use IE5 to access the site I get the following error:
>
>
>
> Forbidden
>
> You don't have permission to access / on this server.
>
>
>
> Additionally, a 403 Forbidden error was encountered while trying to use a=
n
> ErrorDocument to handle the request.

Don't protect the directory with your ErrorDocuments if you know the
SSL connection is already forbidden.

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

-----Original Message-----

P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is conf=
idential. It is intended only for the named recipients(s). If you are not t=
he named recipient please notify the sender immediately and do not disclose=
the contents to another person or take copies.

VIRUSES: The contents of this e-mail or attachment(s) may contain viruses w=
hich could damage your own computer system. Whilst Grant Instruments (Cambr=
idge) Ltd has taken every reasonable precaution to minimise this risk, we c=
annot accept liability for any damage which you sustain as a result of soft=
ware viruses. You should therefore carry out your own virus checks before o=
pening the attachment(s).

OpenXML: For information about the OpenXML file format in use within Grant =
Instruments please visit our http://www.grant.co.uk/Support/openxml.html

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org