1. Jetty
  2. JETTY-457

The AJP connector returns client certificates as a string instead of an array of X509Certificate objects


    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.6rc0
    • Fix Version/s: 6.1.6rc1
    • Component/s: Security and SSL
    • Labels:
    • Patch Submitted:
    • Number of attachments :


      The servlet specification (at least 2.2) requires the
      javax.servlet.request.X509Certificate attribute (which contains the client certificates, if any) to be an array of
      However, the AJP connector returns this chain of certificates as a string.

      I'm attaching a patch which should correct this. There are a couple of exceptions that are badly handled in this patch, as I wasn't sure how to do it properly in the context of the rest of the code.
      ClassCastException may happen during "certificates[i] = (X509Certificate)cert", but I think it's unlikely to happen since it uses an X.509 certificate factory.

      I tried to use "new ByteArrayInputStream(sslCert.array())" instead of "new ByteArrayInputStream(sslCert.toString().getBytes())" when reading the certificate. However, this didn't work. (I must admit I haven't investigated this further, and I haven't read the documentation for Buffer.)

      To get the chain from Apache Httpd (assuming that this is the front-end), certain options should be enabled such as "JkOptions +ForwardSSLCertChain" (there is more on this topic in the AJP documentation).

      In Tomcat, I've only managed to get the client certificate and not the full chain. A quick glance at apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/ seems to indicate that only an array of size 1 is created, which would explain this behaviour. I'm not sure if everything regarding AJP and X509Certificates happens in this class in Tomcat.

      This patch for Jetty should put the full chain, if it is available. However, for a reason unknown to me, the chain is only passed to sslCert when the SSL session is initiated (after inactivity, restarting httpd or closing the browser). Using a simple test servlet that dispays the array in attribute javax.servlet.request.X509Certificate, when I see a chain of two certificates and press reload (a second after), I only get to see the client certificate, but no others. This may be due to mod_jk as well.


        There are no comments yet on this issue.


          • Assignee:
            Bruno Harbulot


            • Created: