Firefox SSL with APR - losing client certificate

Fri, 07 Aug 2015 08:39:10 -0700 

Hi!

I use tomcat 6.0.44 wit APR on Windows x64.
I set up SSLVerifyClient="optional" and since then encounter the following 
problem with Firefox 39.0.03 (IE works OK):

On first access Firefox shows the client certificate selection dialog. I select 
a certificate and continue. The web application "sees" the selected certificate 
and show a proper response page.
But on next access (I click a link) the client certificate is not visible to 
the application any more. It gets null from the method call
HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")

Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 (similar)
And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] Client 
certificate gone after 1 minute timeout (SSL, APR)"
(even more similar, except for me it fails on next access without a minute of 
waiting)
As suggested in the second link, clearing cache and authentication in the 
browser is a workaround that works. Kind of as one has to select the 
certificate again and do it before every click on a link.

Strange, just now it worked fine for a few minutes.

Is this some known issue?

Without APR, using JSSE, it works fine (and did so for years).

This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to 
apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
I start tomcat from Eclipse, using JRE 1.6.0_45  (each 64 bit version).
 
Firefox version 39.0, today updated to 39.0.3

The Connector line from server.xml:

<Connector SSLCACertificateFile="C:/CA_list.pem"
        SSLCertificateFile="C:/key_public.pem"
        SSLCertificateKeyFile="C:/key_private.pem"
        SSLEnabled="true" SSLPassword="changeit" 
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
        SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" 
port="8443"
        protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https"
        secure="true" />


Regards,
David Balažic

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to