The AJP connector only handles the first certificate of the SSL client certificate (chain). With the attached patch, all the certificates in the chain will be handled and will be exposed as javax.security.cert.X509Certificate .
Created attachment 18333 [details] Patch for tomcat-5.5.17
Given mod_jk's 8K total header limit I'd think that this should be an optional setting unless/until the 8K limit is removed (which as I understand it will have to wait until AJP 1.4). We've already had a customer who had to use Apache options to remove the Referer information prior to mod_jk's involvement so as to stay under the 8K barrier -- and this was without this patch.
The 8k limit for the header information is really a problem. The mod_jk patch for Bug #39636 addresses this problem by introducing a JKOption (ForwardSSLCertChain) which allows you to enable forwarding of the SSL Client Cert Chain. Additionally, if you only need client authentication for a certain virtual host / directory, only use ExportCertData (no StdEnvVars and the like).
The patch has wrong formatting. I have commited the native part (#39636), but we would need the patch for both 5.5.x and 6.x branches, as well as for APR connector. Can you do that?
Created attachment 19793 [details] Patch for tomcat-5.5.23 The patch is for JK and APR, I tested the JK connector, but didn't have the resources to test it on APR.
Created attachment 19794 [details] Patch for tomcat-6.0.10
*** This bug has been marked as a duplicate of bug 37869 ***
This bug (39637) and https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 are not the same issue. This one has been filed for the JK connector while #37869 has been filed for the HTTP connector.
Created attachment 23951 [details] Updated 6.0.x patch Updated px ch. Line number changes only
Created attachment 23952 [details] Updated 5.5.x patch Updates line numbers. Adds fix for Coyote AJP APR/native connector.
Thanks for the patches. The updated versions have been proposed for 5.5.x and 6.0.x. Note trunk had already been patched.
This has been applied to 6.0.x and will be included in 6.0.21 onwards.
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.