Apache + mod_jk + Tomcat ... SSL Problems

[Oliver Schoenwald]

Hello,

we are using the following versions:
Apache 2.0.47
mod_jk (not mod_jk2)
Tomcat 5.5.9
The SSL-Feature is backed by openssl 0.9.7c.

We configured mod_jk to send the SSL information to the tomcat engine:
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT

And we configured the SSL-Module of Apache to use the SSL-Cache and to 
hold the SSL Session for 30 Minutes.
SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  1800

Using the trick described in the tomcat documenation, I could activate 
and use the Session Tracking via the SSL Session ID,
which is exactly what we wanted because so we don't need cookies or 
URL-Rewriting.
To manage the SSL Sessions I implemented my own SSLSessionManager-Class 
in my Webapplication and all worked fine,
except one little problem: The SSL Session Key seems to get lost by 
Apache or mod_ssl or OpenSSL!

I used a test application in my servlet engine to experiment with the 
"session tracking via ssl session id"-feature. That application
showed me if the SSL Session ID was set, what value it has, what my own 
SessionManagement-Class knew about that session
(when it was created, when it was used last time, how long until 
expiration, which attributes are managed for that session).
The SessionManager was configured to hold every SSL Session for 
unlimited time, only to set an internal "invalid"-flag after
a configured time of 30 minutes.

The test application showed that in newly started application instances 
(apache, tomcat) the SSL Session worked properly and
the SSL Session ID was created. When reloading the test application 
repeatedly, that SSL Session ID kept its value. Bingo!
All that I needed.

But then...

Few minutes later the test application showed that there was *no* SSL 
Session ID available within the https-request any longer.
When I reloaded the test application again, a new SSL Session ID was 
created. This happened again and again later, always far earlier
than the SSLSessionCache was configured.

Then I used tomcat's web-connector and tried the same - and there the 
SSL Session ID worked properly and wasn't lost preemptively.

Does someone know something about problems with SSL Session IDs with 
Apache und mod_jk? Does someone have a solution how
to remove that problem?

Thank you in advance,

Oliver Schoenwald
University of Hagen, Germany


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]