Skip to Content.
Sympa Menu

shibboleth-dev - client certificate chains and 1.3 IdP

Subject: Shibboleth Developers

List archive

client certificate chains and 1.3 IdP


Chronological Thread 
  • From: Ian Young <>
  • To:
  • Subject: client certificate chains and 1.3 IdP
  • Date: Tue, 05 Jul 2005 22:23:19 +0100

I've come across a problem deploying the 1.3 IdP (today's CVS HEAD) which looks like an issue with getting client certificate chains through from Apache to tomcat. It may be that I'm doing something stupid, or I may be uncovering a bug of some kind (in something, I don't know what yet).

The situation is a 1.3 IdP talking to a 1.2.1 SP. The metadata is in the PKI style and contains a root CA only; from this comes a chain of intermediates before you get to the real certificates; the metadata doesn't include those. I am reasonably sure that the SP is pushing the intermediates to the IdP: I have logging turned up to the max, and I can see plausible things going by in the Apache logs implying that it sees a full certificate chain. Apache verifies the chain (this isn't conclusive, it may have access to some of the intermediate certificates).

The problem is that the IdP's internal verification of the same chain fails. Adding some logging to the IdP indicates that it sees only the end client certificate, not the rest of the chain. The intermediate certificates don't seem to be passed through to tomcat, in other words.

Is anyone working with a combination like this (1.3 IdP, CA hierarchy, IdP knows about root only, SP pushes intermediates) and can report success? Or have any ideas as to what to blame?

Configuration:

Red Hat FC3
Apache 2.0.50
mod_jk2 4.1.27 (always a prime suspect)
tomcat 5.0.30
J2SE 5

The only thing I've been able to find online in this area is the following, which claims to have been fixed a couple of years ago:

http://issues.apache.org/bugzilla/show_bug.cgi?id=21371

Any pointers gratefully received. I guess if there aren't any, I will try shifting away from the (now dead) mod_jk2 and see if anything changes.

-- Ian



Archive powered by MHonArc 2.6.16.

Top of Page