Unable to get Client Certificate Chain from apache

Question

I'm trying to get the client certificate chain and root from apache to my Java backend.

This is the relevant part of my apache config:

  SSLOptions +StdEnvVars +ExportCertData
  RequestHeader set "SSL_CLIENT_CERT" "%{SSL_CLIENT_CERT}e"
  RequestHeader set "SSL_CLIENT_CERT_CHAIN_0" "%{SSL_CLIENT_CERT_CHAIN_0}e"
  RequestHeader set "SSL_CLIENT_ROOT_CERT" "%{SSL_CLIENT_ROOT_CERT}e"

I am able to get client certificate but the root and intermediate certs are null. I have verified from tcpdump that the root and intermediate certs are being sent to apache.

My apache version is 2.4.6.

I have looked at similar questions like
How to get a client certificate chain during a certificate auth with Apache? SSL_CLIENT_CERT_CHAIN not being passed to backend server

but the answers did not fix my issue. Any ideas why they are not being passed? Thanks.

score 0 · Accepted Answer · answered Sep 19 '19 at 14:50

Answering my own question for sake of reference.

The reason the SSL_CLIENT_CERT_CHAIN_0 and SSL_CLIENT_ROOT_CERT were not being passed is because they are extracted from the certificates uploaded by the client. I assumed they would be extracted from the trust store but looking at httpd source code I found that they do not.

httpd calls the openssl function SSL_get_peer_cert_chain() to populate the SSL_CLIENT_CERT_CHAIN_n and SSL_CLIENT_ROOT_CERT fields. From the openssl doc, https://www.openssl.org/docs/man1.1.0/man3/SSL_get_peer_cert_chain.html , the function only returns the peer chain as sent by the peer. This was the reason the intermediate and root were passed as null, since in my case, they are obtained from the trust store and not the client.

Unable to get Client Certificate Chain from apache

1 Answers1