Re: How to set SSL session timeout in Tomcat 5.5.16
On 18/03/2010 04:26, Goo Sam Kong wrote: Hi Mark, Will apache.org correct the Tomcat documentation or fix the code? The docs are correct. This is already fixed in Tomcat 7 and has been proposed for Tomcat 6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
On 17/03/2010 00:49, Goo Sam Kong wrote: May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. 1. Upgrade to the latest 6.0.x 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Thank you very much Mark, I will try it tomorrow. On 17 March 2010 16:40, Mark Thomas ma...@apache.org wrote: On 17/03/2010 00:49, Goo Sam Kong wrote: May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. 1. Upgrade to the latest 6.0.x 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Mark, Thank you for the solution, it working for me now. I noticed there is a error in Tomcat documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the correct attribute for session cache timeout should be sessionCacheTimeout instead of sessionTimeout in HTTPS connector. Thank you. On 17 March 2010 17:32, Goo Sam Kong skgo...@gmail.com wrote: Thank you very much Mark, I will try it tomorrow. On 17 March 2010 16:40, Mark Thomas ma...@apache.org wrote: On 17/03/2010 00:49, Goo Sam Kong wrote: May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. 1. Upgrade to the latest 6.0.x 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 I noticed there is a error in Tomcat documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the correct attribute for session cache timeout should be sessionCacheTimeout instead of sessionTimeout in HTTPS connector. Actually, it looks like the code should be fixed, not the doc. The timeout value has nothing to do with the SSL session cache, and the related methods in javax.net.ssl.SSLSessionContext are all for sessionTimeout; there's no mention of a sessionCacheTimeout in that interface. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, OIC, so when the code will be fixed? On 18 March 2010 11:07, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 I noticed there is a error in Tomcat documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the correct attribute for session cache timeout should be sessionCacheTimeout instead of sessionTimeout in HTTPS connector. Actually, it looks like the code should be fixed, not the doc. The timeout value has nothing to do with the SSL session cache, and the related methods in javax.net.ssl.SSLSessionContext are all for sessionTimeout; there's no mention of a sessionCacheTimeout in that interface. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 OIC, so when the code will be fixed? No idea - I'm not a committer. It will get more attention if you file a Bugzilla entry for it: http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: How to set SSL session timeout in Tomcat 5.5.16 No idea - I'm not a committer. It will get more attention if you file a Bugzilla entry for it: http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 In Tomcat 6.0.26, the relevant code is at lines 434 - 446 of org/apache/tomcat/util/net/jsse/JSSESocketFactory.java, and should be changed to this: int sessionTimeout; if (attributes.get(sessionTimeout) != null) { sessionTimeout = Integer.parseInt( (String)attributes.get(sessionTimeout)); } else { sessionTimeout = defaultSessionTimeout; } SSLSessionContext sessionContext = context.getServerSessionContext(); if (sessionContext != null) { sessionContext.setSessionCacheSize(sessionCacheSize); sessionContext.setSessionTimeout(sessionTimeout); } - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Mark, Will apache.org correct the Tomcat documentation or fix the code? Thank you. On 18 March 2010 11:16, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 OIC, so when the code will be fixed? No idea - I'm not a committer. It will get more attention if you file a Bugzilla entry for it: http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: How to set SSL session timeout in Tomcat 5.5.16 May I know how to set the SSL session timeout in Tomcat 5.5.16. The session timeout value is independent of the session security, and set by the session-timeout value in the webapp's WEB-INF/web.xml file or programatically. See the servlet spec for details. BTW, your tomcat version is four years old - you should seriously consider moving up to a newer version that contains numerous fixes, including security-related ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, I am referring to invalidate SSL session. My application is using client certificate authentication, the XML-RPC client is using USB token as a keystore during SSL session, we want to force client to re-authenticate with my application on every XML-RPC request to prevent user remove the token during the client execution. The client will run infinitely. From the client, I noticed it cached first authenticated SSL session and reuse it for the subsequent calls... Can I invalidate the SSL session on server side? Thank you. Regards, SamKong Goo On 17 March 2010 09:20, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: How to set SSL session timeout in Tomcat 5.5.16 May I know how to set the SSL session timeout in Tomcat 5.5.16. The session timeout value is independent of the session security, and set by the session-timeout value in the webapp's WEB-INF/web.xml file or programatically. See the servlet spec for details. BTW, your tomcat version is four years old - you should seriously consider moving up to a newer version that contains numerous fixes, including security-related ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 Can I invalidate the SSL session on server side? Look at the servlet API doc: http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate() Again, whether the session was established via HTTP or HTTPS is not pertinent here. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, I attempted that, that is HTTP Session not SSL session. I modified XML-RPC client to include code below to terminate client's SSL session, it worked but we preferred server to terminate SSL session instead. SSLContext.getClientSessionContext().setSessionTimeout(seconds); Do you know how to do/configure to invalidate SSL session? Thank you. Regards, SamKong Goo On 17 March 2010 10:30, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 Can I invalidate the SSL session on server side? Look at the servlet API doc: http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate() Again, whether the session was established via HTTP or HTTPS is not pertinent here. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to set SSL session timeout in Tomcat 5.5.16
From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 I attempted that, that is HTTP Session not SSL session. Depending on how your webapp is configured, you may have two HttpSession objects - one protected, and one not. Make sure you're invalidating the protected session from servlet code associated with a protected resource, not from an unprotected reference. You could also turn off keep-alives in the HTTPS Connector (set maxKeepAliveRequests=1). Renegotiating the SSL handshake on each request might be a noticeable performance hit, however. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org