Hi, Albert.
I do not know how to help you, but you can help me with SSL + Tomcat.
I saw You made an two-sided SSL with default tomcat connector, and I'd like
to ask you about this:
What steps have you done to make it work?
If you can, please help.
Thanks..
On Mon, Feb 22, 2010 at 2:16 PM, Albert Tumanov <altum...@gmail.com> wrote:
> Dear colleagues,
>
> I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
>
> Namely, the setup works perfectly (i.e. the client certificate is sent
> and the servlet application can get it).
> But if I allow the SSL connection to time out (it happens 1 minute
> after the last request), the servlet application does not get the
> client certificate anymore.
>
> The workaround is to clear Firefox cache (Tools - Clear Recent History
> - 1 hour, Active logins).
> After this, the application will work again until the next timeout.
>
> This problem does NOT occur if I use pure Java SSL config (no APR) or
> when I use browser other that Firefox.
>
> From that you can imply that this might be a Firefox problem, but I'm
> not so sure.
> Firefox works perfectly with all other HTTPS sites and also pure Java
> SSL config works with Firefox.
> So obviously this problem occurs because Tomcat libnative fails to
> handle some peculiarities of Firefox SSL packets.
>
> Here is my exact setup:
> - Debian 5 (Lenny)
> - libapr1 1.2.12-5+lenny1
> - openssl 0.9.8g-15+lenny6
> - Tomcat 6.0.24 with tomcat-native-1.1.19
> - server authentication certificates (newcert.pem, newkey-no-password.pem)
> - client authentication certificates (cas.crt and a personal
> certificate signed by that)
> - a simple servlet "ssltest" to get the client cert:
> writer.println(Arrays.deepToString((X509Certificate[])
> request.getAttribute("javax.servlet.request.X509Certificate")));
> - Firefox 3.6
>
> The only change in server.xml is the connector conf:
>
> <Connector port="8443" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> SSLCertificateFile="${user.home}/newcert.pem"
> SSLCertificateKeyFile="${user.home}/newkey-no-password.pem"
> SSLVerifyClient="require"
> SSLVerifyDepth="2"
> SSLCACertificateFile="${user.home}/cas.crt"
> />
>
> Now steps to reproduce:
> 1) go to https://localhost:8443/ssltest, it will show the client
> certificate
> 2) wait 1 minute
> 3) refresh browser - the application will not get the client certificate
> (request.getAttribute("javax.servlet.request.X509Certificate") returns
> null)
>
> I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443"
> It shows that 1 minute after the last request, there will be "Read EOF
> on Server socket".
> After that, the problem starts occuring.
>
> I have compared ssltap traces for Firefox and Safari.
> They look pretty similar.
> The only significant difference is that Safari seems to terminate the
> connection by sending SSL alert packet.
> In case of Firefox, it is the Tomcat server who sends the first SSL
> alert packet.
>
> I hope somebody can shed a light on that issue :)
>
> Best Regards,
> Albert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
