Class SSLValve

java.lang.Object
All Implemented Interfaces:
MBeanRegistration, Contained, JmxEnabled, Lifecycle, Valve

public class SSLValve extends ValveBase
When using mod_proxy_http, the client SSL information is not included in the protocol (unlike mod_jk and mod_proxy_ajp). To make the client SSL information available to Tomcat, some additional configuration is required. In httpd, mod_headers is used to add the SSL information as HTTP headers. In Tomcat, this valve is used to read the information from the HTTP headers and insert it into the request.

Note: Ensure that the headers are always set by httpd for all requests to prevent a client spoofing SSL information by sending fake headers.

In httpd.conf add the following:

 <IfModule ssl_module>
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   RequestHeader set SSL_SECURE_PROTOCOL "%{SSL_PROTOCOL}s"
   RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
   RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
   RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
 </IfModule>
 
In server.xml, configure this valve under the Engine element in server.xml:
 <Engine ...>
   <Valve className="org.apache.catalina.valves.SSLValve" />
   <Host ... />
 </Engine>