Shibboleth Developers

["Scott Cantor" <>]

Bug confirmed, and it's systemic. The AJP connector protocol specifically
passes a single client certificate (and JK extracts it from a specifically
named CGI header) to the Coyote connector.

There is *no* way to use the standard Java APIs to extract the entire client
chain.

So, cool. Nothing works. ;-)

Today, you can use Tomcat alone, give up some speed, and stuff all your
potential roots in a keystore. Or use Apache, and give up chains.

There's only one solution I can see that doesn't involve giving up control
over the validation step, and it's not all that attractive. We'd have to
build a simple interface between the servlets and the container for
extracting the client certs. Then we'd have to plug in an implementation
that knew how to consume the special chain headers supplied by mod_ssl,
assuming they get through to Tomcat, which I assume is true. Then again,
maybe not. If not, game over, it'll never work.

In practice, chains are dumb. The PKIX code doesn't care if the anchor is
self-signed. So you can trust the issuer directly, and I don't see why
anybody wouldn't be able to live with that. But fixing it doesn't really
seem possible in any other way.

-- Scott