> Are you keeping an SSL connection for a long time? Or, do you mean that > if you wait for slightly longer than 1 minute after the last SSL request > to make another one, the client certificate does not get delivered to > Tomcat?
The latter one :) >> 1) go to https://localhost:8443/ssltest, it will show the client certificate > > Does the request complete successfully at this point: meaning that the > TCP/IP connection is closed and you get all the bytes you expected from > the server? I think so. >> 2) wait 1 minute >> 3) refresh browser - the application will not get the client certificate >> (request.getAttribute("javax.servlet.request.X509Certificate") returns null) > > I'm no SSL expert, but these two requests ought to be completely > independent of each other: the client certificate should always be sent. There is a concept of SSL session (Resumed TLS handshake), and I think the client certificate should be cached on the server side for some time. >> I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443" >> It shows that 1 minute after the last request, there will be "Read EOF >> on Server socket". > > 1 minute after step #1 above, or step #3? After step #1 > In step #3, is the client certificate sent by the browser or not? The browser only sends client certificate on step #1. And this works unless APR+Firefox is used. As I suggested, the server side should cache the cert. >> The only significant difference is that Safari seems to terminate the >> connection by sending SSL alert packet. > > Terminates which connection? #1 or #3? #3 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
