Hi Steffen
You didn't specify your Tomcat version. In Tomcat 7 or 8 or 9 we use the
following code. Not sure if it will work on 6. For a long time until very
recently we were stuck on 5.5 and the attribute below is not available. So I
had to write a reflection introspection to drill down to the SSLSessionManager
held by the Tomcat objects under the server request.
Keep in mind the client cert implementation on the browsers is not uniform in
behavior (in respect of resetting a session and letting the user chose another
cert on relogin). We support FF, Chrome and IE and by far so far IE has been
the most consistent. Later releases of Chrome cache the smartcard connection
and resubmit the same cert on reconnect and nothing you can do on the server
can change this (as far as I know). The JS-side crypto support (to reset the
state) is poor, FF-specific and unreliable. Firefox has it's own set of issues.
George
[1]
// Invalidate the SSL Session
(org.apache.tomcat.util.net.SSLSessionManager)
Method invalidateSessionMethod = null;
Object mgr =
httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
if (mgr != null) {
try {
invalidateSessionMethod =
mgr.getClass().getMethod("invalidateSession");
if (invalidateSessionMethod == null) {
log.error("Failed to reset SSL
session: Method invalidateSessionMethod =
mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
}
invalidateSessionMethod.setAccessible(true);
} catch (Throwable t) {
log.error("Failed to reset SSL session:
" + t.getMessage(), t);
}
// Invalidate the session
try {
invalidateSessionMethod.invoke(mgr);
log.trace("SSL session reset
successfully");
return true;
} catch (Throwable t) {
log.error("Failed to reset SSL session:
invalidateSession() threw exception: " + t.getMessage(), t);
}
-----Original Message-----
From: Steffen Heil (Mailinglisten) [mailto:[email protected]]
Sent: Friday, June 26, 2015 2:43 AM
To: Tomcat Users List
Subject: Forcing SSL Renotiation
Hi
My tomcat installation offers pages through https only. So when accessing these
pages, an ssl connection is established.
Later on, a user may decide to "log in", hence hitting a page, that requires
client certificates, and the browser pops up a selection dialog for a
certificate.
Once chosen, the server recognized the user by its certificate, and everything
is fine.
So far, so good.
Now I have 2 problems:
1. When clicking "logout" in the application, the server terminates its
internal session for that user, but the ssl connection is not terminated.
That means, as soon as anyone clicks login again, the old certificate is reused.
So the user cannot login using another certificate.
2. The second problem with that is, that if the certificate was on a smartcard
and that card was removed, that cannot be detected.
Is there any way to tell tomcat to tell the browser to drop the tls session
state and "restart"?
Regards,
Steffen
