Shibboleth Developers

[Ian Young <>]

I've come across a problem deploying the 1.3 IdP (today's CVS HEAD) 
which looks like an issue with getting client certificate chains through 
from Apache to tomcat.  It may be that I'm doing something stupid, or I 
may be uncovering a bug of some kind (in something, I don't know what yet).

The situation is a 1.3 IdP talking to a 1.2.1 SP.  The metadata is in 
the PKI style and contains a root CA only; from this comes a chain of 
intermediates before you get to the real certificates; the metadata 
doesn't include those.  I am reasonably sure that the SP is pushing the 
intermediates to the IdP: I have logging turned up to the max, and I can 
see plausible things going by in the Apache logs implying that it sees a 
full certificate chain.  Apache verifies the chain (this isn't 
conclusive, it may have access to some of the intermediate certificates).

The problem is that the IdP's internal verification of the same chain 
fails.  Adding some logging to the IdP indicates that it sees only the 
end client certificate, not the rest of the chain.  The intermediate 
certificates don't seem to be passed through to tomcat, in other words.

Is anyone working with a combination like this (1.3 IdP, CA hierarchy, 
IdP knows about root only, SP pushes intermediates) and can report 
success?  Or have any ideas as to what to blame?

Configuration:

        Red Hat FC3
        Apache 2.0.50
        mod_jk2 4.1.27 (always a prime suspect)
        tomcat 5.0.30
        J2SE 5

The only thing I've been able to find online in this area is the 
following, which claims to have been fixed a couple of years ago:

   http://issues.apache.org/bugzilla/show_bug.cgi?id=21371

Any pointers gratefully received.  I guess if there aren't any, I will 
try shifting away from the (now dead) mod_jk2 and see if anything changes.

        -- Ian