Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-89

SSLValve should check for multiple headers

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • JWS 3.0.1 CR2
    • JWS 3.0.0 GA, JWS 3.0.1 DR1, JWS 3.0.1 CR1, JWS 3.0.1 CR2
    • tomcat7, tomcat8
    • None
    • Release Notes
    • Hide
      There was a shortcoming in `SSLValve`, in that it only looked for a single `ssl_client_cert` header, when it should also haved looked for multiple additional `ssl_client_cert` headers to account for `X-Forwarded-For` headers as well.

      This issue is resolved in this release, and `SSLValve` now correctly checks for multiple `ssl_client_cert` headers.
      Show
      There was a shortcoming in `SSLValve`, in that it only looked for a single `ssl_client_cert` header, when it should also haved looked for multiple additional `ssl_client_cert` headers to account for `X-Forwarded-For` headers as well. This issue is resolved in this release, and `SSLValve` now correctly checks for multiple `ssl_client_cert` headers.
    • Documented as Resolved Issue

      This is perhaps rather a shortcoming than a bug per se. It is present in JBossWeb delivered with EAP 6.3.0 and it has been fixed in jbossweb-7.5.4.Final delivered with EAP 6.4.0 Beta. Both Tomcat 8 and Tomcat 7 in JWS3 don't have the patch.

      Notes:

      WDYT?

        1. sslvalve.zip
          2 kB

              rmaucher Remy Maucherat
              rmarwaha@redhat.com Richa Marwaha
              Karm Karm Karm Karm
              Lucas Costi Lucas Costi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: