Shibboleth Developers

["Scott Cantor" <>]

Turns out the mod_ssl "headers" are just environment variables, and by
default are not available to Tomcat.

The only way we could make this work is to use mod_jk's JkEnvVar command
like so:

JkEnvVar SSL_CLIENT_CERT unset
JkEnvVar SSL_CLIENT_CERT_CHAIN_1 unset
JkEnvVar SSL_CLIENT_CERT_CHAIN_2 unset
...
for every chain cert you wanted to support.

Then we'd have to write the code to read them and turn them into cert
objects. They come over as PEM (BEGIN/END headers and all).

This is beyond ugly.

My personal feeling is we should build a thin wrapper to use to get access
to the chain, only implement what we have now (the Java standard) and if
people really want to get chains to work, they can write a plugin to do it
using this ugly technique (or convince Tomcat's developers to fix their
code).

I'm going to sleep. PKI sucks. G'night.

-- Scott