Re: SSLSession invalidate

2011-09-15 Thread Henry Story
You can break TLS sessions once you have the session_id. I tried this in 
Clerezza (an apache incubator project) to see if I could get something like a 
logout functionality to work. I even tried to see if breaking a connection and 
throwing one of the exceptions that TLS defines would force the browser to ask 
the user for another certificate, but it does not work - or only quite randomly 
in most browsers.

https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala

I think it is a bug that they don't react properly to the defined exceptions 
being thrown. 

What does work for Firefox and I think IE (Not tested yet, please let me know) 
is the following javascript logout:

function logout(elem) {
   if (document.all == null) {
  if (window.crypto) {
  try{
  window.crypto.logout();
  return false; //firefox ok -- no need to follow the link
  } catch (err) {//Safari, Opera, Chrome -- try with tis session 
breaking
  }
  } else { //also try with session breaking
  }
   } else { // MSIE 6+
  document.execCommand('ClearAuthenticationCache');
  return false;
   };
   return true
}

function login(elem)  { logout(elem) }

-

Then you can just put the following html in your page

a href={/user/joe/control-panel}Joe/a|a href=/logout onclick=return 
logout();logout/a

I have added this to the foaf+ssl (WebID protocol) wiki
http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout

Henry

On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:

 Don't assume your SSL session or connection hasn't been invalidated just 
 because you aren't asked to choose a certificate from your browser certs when 
 you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP 
 session and Single Sign-on session are invalidated upon logout, and we see 
 similar behavior (no need to select certificate) upon re-login because the 
 browser caches the user's certificate choice (and smart card PIN).  Is your 
 session ID the same when you go back in?  
 
 If you are using IE and you want to clear the browser cache to select another 
 certificate, go to Tools-Internet Options, select Content tab, and click 
 Clear SSL state. 
 
 -Original Message-
 From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org 
 [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On 
 Behalf Of Jürgen Jakobitsch
 Sent: Tuesday, September 06, 2011 3:12 PM
 To: Tomcat Users List
 Subject: Re: SSLSession invalidate
 
 thanks mark,
 
 if i understand you correct, it is simply NOT possible to invalidate the 
 SSLSession of which i can get the id with 
 request.getAttribute(javax.servlet.request.ssl_session)
 (it works with this key in 6.0.32)
 
 wkr turnguard
 
 - Original Message -
 From: Mark Thomas ma...@apache.org
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Wednesday, September 7, 2011 12:08:29 AM
 Subject: Re: SSLSession invalidate
 
 On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
 apparently there is one, i can get it's id with 
 request.getAttribute(javax.servlet.request.ssl_session)
 
 That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
 
 in tomcat7 there's the possibility to use SSLSessionManager to 
 invalidate SSLSession, so i'm doing a wild guess, that something similar has 
 to be possible with tomcat6 as well.
 
 Your wild guess is wrong. That feature is in Tomcat 7 onwards.
 
 Mark
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -- 
 | Jürgen Jakobitsch,
 | Software Developer
 | Semantic Web Company GmbH
 | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
 | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
 
 COMPANY INFORMATION
 | http://www.semantic-web.at/
 
 PERSONAL INFORMATION
 | web   : http://www.turnguard.com
 | foaf  : http://www.turnguard.com/turnguard
 | skype : jakobitsch-punkt
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 

Social Web Architect
http://bblfish.net/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-15 Thread Henry Story

On 15 Sep 2011, at 23:30, Peter wrote:

 A connection is streaming a video, when you logout of it's session. 
 
 What happens?

I have not tried it. I'll put up some code in Java so you can try it out soon.

 
 The browser caches img files retrived from on the same server path as the 
 application to which then one sends an ssl logout signal. A browser plugin 
 references the https uri of the image.
 
 Does the cache release the image, collected over a session that is now closed?
 
 Sent from my iPhone
 
 On Sep 15, 2011, at 1:23 AM, Henry Story henry.st...@bblfish.net wrote:
 
 You can break TLS sessions once you have the session_id. I tried this in 
 Clerezza (an apache incubator project) to see if I could get something like 
 a logout functionality to work. I even tried to see if breaking a connection 
 and throwing one of the exceptions that TLS defines would force the browser 
 to ask the user for another certificate, but it does not work - or only 
 quite randomly in most browsers.
 
 https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
 
 I think it is a bug that they don't react properly to the defined exceptions 
 being thrown. 
 
 What does work for Firefox and I think IE (Not tested yet, please let me 
 know) is the following javascript logout:
 
 function logout(elem) {
  if (document.all == null) {
 if (window.crypto) {
 try{
 window.crypto.logout();
 return false; //firefox ok -- no need to follow the link
 } catch (err) {//Safari, Opera, Chrome -- try with tis session 
 breaking
 }
 } else { //also try with session breaking
 }
  } else { // MSIE 6+
 document.execCommand('ClearAuthenticationCache');
 return false;
  };
  return true
 }
 
 function login(elem)  { logout(elem) }
 
 -
 
 Then you can just put the following html in your page
 
 a href={/user/joe/control-panel}Joe/a|a href=/logout 
 onclick=return logout();logout/a
 
 I have added this to the foaf+ssl (WebID protocol) wiki
 http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
 
 Henry
 
 On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
 
 Don't assume your SSL session or connection hasn't been invalidated just 
 because you aren't asked to choose a certificate from your browser certs 
 when you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP 
 session and Single Sign-on session are invalidated upon logout, and we see 
 similar behavior (no need to select certificate) upon re-login because the 
 browser caches the user's certificate choice (and smart card PIN).  Is your 
 session ID the same when you go back in?  
 
 If you are using IE and you want to clear the browser cache to select 
 another certificate, go to Tools-Internet Options, select Content tab, and 
 click Clear SSL state. 
 
 -Original Message-
 From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org 
 [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On 
 Behalf Of Jürgen Jakobitsch
 Sent: Tuesday, September 06, 2011 3:12 PM
 To: Tomcat Users List
 Subject: Re: SSLSession invalidate
 
 thanks mark,
 
 if i understand you correct, it is simply NOT possible to invalidate the 
 SSLSession of which i can get the id with 
 request.getAttribute(javax.servlet.request.ssl_session)
 (it works with this key in 6.0.32)
 
 wkr turnguard
 
 - Original Message -
 From: Mark Thomas ma...@apache.org
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Wednesday, September 7, 2011 12:08:29 AM
 Subject: Re: SSLSession invalidate
 
 On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
 apparently there is one, i can get it's id with 
 request.getAttribute(javax.servlet.request.ssl_session)
 
 That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
 
 in tomcat7 there's the possibility to use SSLSessionManager to 
 invalidate SSLSession, so i'm doing a wild guess, that something similar 
 has to be possible with tomcat6 as well.
 
 Your wild guess is wrong. That feature is in Tomcat 7 onwards.
 
 Mark
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -- 
 | Jürgen Jakobitsch,
 | Software Developer
 | Semantic Web Company GmbH
 | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
 | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
 
 COMPANY INFORMATION
 | http://www.semantic-web.at/
 
 PERSONAL INFORMATION
 | web   : http://www.turnguard.com
 | foaf  : http://www.turnguard.com/turnguard
 | skype : jakobitsch-punkt
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSLSession invalidate

2011-09-06 Thread Chema
 how can access the SSLSession in a jsp or a servlet
 to be able to invalidate it.

Sorry, but

is there any difference between to  invalidate a HTTP Session and a SSLSession ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-06 Thread baran topal
Greetings from Stockholm, this is Baran Topal.

As i was drinking my Guiness, i find your question interesting :)

Here you go:

%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%

Inform me whether this is working or not :)

Regards.

On 6 sep 2011, at 22:09, Chema demablo...@gmail.com wrote:

 how can access the SSLSession in a jsp or a servlet
 to be able to invalidate it.

 Sorry, but

 is there any difference between to  invalidate a HTTP Session and a 
 SSLSession ?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-06 Thread Jürgen Jakobitsch
i should make myself clearer, i guess...

i'm trying to close a SSL connection, in case someone wants to use another 
certificate
for a webpage that uses client-cert as authentication method.

i know how to close a session, tanks. what i dont't know, how to invalidate a 
SSLSession.
apparently there is one, i can get it's id with 
request.getAttribute(javax.servlet.request.ssl_session)
and also apparently it is not enough to do session.invalidate(), why? because i 
have it in a logout.jsp
that redirects to my index.jsp. now if the SSL Connection would have been 
invalidated, i should be
asked to choose a certificate from my browser certs, which i'm not, after 
passing my logout.jsp
i'm still logged in, i even have a request.setHeader(connection, close) in 
my logout jsp, which
doesn't help either (i have read that the header thing might be interpreted 
more as guideline for the browser
and not necessarily close all connections).

in tomcat7 there's the possibility to use SSLSessionManager to invalidate 
SSLSession, so i'm doing a
wild guess, that something similar has to be possible with tomcat6 as well.


so the overall workflow would be

1. first hit of index.jsp
2. i'm asked to choose a browser cert
3. i log in with a browser cert
4. i hit the logout button, which makes an ajax request to logout.jsp
5. in logout.jsp i invalidate the normal HTTPSession and set the connection 
header to close

   = here some is missing to invalidate the SSLSession

6. in case of success of the logout-ajax request, i'm taken to index.jsp
   (now start over from point 1. again)
   only i'm not asked for a cert the second time, which is exactly what i want 
to achieve... and before you asked : i don't want to switch to tomcat7 for this
   but need it get done in tomcat-6.0.32

any help really appreciated
wkr turnguard



- Original Message -
From: baran topal jazziiil...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, September 6, 2011 10:57:17 PM
Subject: Re: SSLSession invalidate

Greetings from Stockholm, this is Baran Topal.

As i was drinking my Guiness, i find your question interesting :)

Here you go:

%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%

Inform me whether this is working or not :)

Regards.

On 6 sep 2011, at 22:09, Chema demablo...@gmail.com wrote:

 how can access the SSLSession in a jsp or a servlet
 to be able to invalidate it.

 Sorry, but

 is there any difference between to  invalidate a HTTP Session and a 
 SSLSession ?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22

COMPANY INFORMATION
| http://www.semantic-web.at/

PERSONAL INFORMATION
| web   : http://www.turnguard.com
| foaf  : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-06 Thread Mark Thomas
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
 apparently there is one, i can get it's id with 
 request.getAttribute(javax.servlet.request.ssl_session)

That is a Tomcat bug it should be javax.servlet.request.ssl_session_id

 in tomcat7 there's the possibility to use SSLSessionManager to invalidate 
 SSLSession, so i'm doing a
 wild guess, that something similar has to be possible with tomcat6 as well.

Your wild guess is wrong. That feature is in Tomcat 7 onwards.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-06 Thread Jürgen Jakobitsch
thanks mark,

if i understand you correct, it is simply NOT possible to invalidate
the SSLSession of which i can get the id with 
request.getAttribute(javax.servlet.request.ssl_session)
(it works with this key in 6.0.32)

wkr turnguard

- Original Message -
From: Mark Thomas ma...@apache.org
To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate

On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
 apparently there is one, i can get it's id with 
 request.getAttribute(javax.servlet.request.ssl_session)

That is a Tomcat bug it should be javax.servlet.request.ssl_session_id

 in tomcat7 there's the possibility to use SSLSessionManager to invalidate 
 SSLSession, so i'm doing a
 wild guess, that something similar has to be possible with tomcat6 as well.

Your wild guess is wrong. That feature is in Tomcat 7 onwards.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22

COMPANY INFORMATION
| http://www.semantic-web.at/

PERSONAL INFORMATION
| web   : http://www.turnguard.com
| foaf  : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: SSLSession invalidate

2011-09-06 Thread Adamus, Steven J.
Don't assume your SSL session or connection hasn't been invalidated just 
because you aren't asked to choose a certificate from your browser certs when 
you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP session 
and Single Sign-on session are invalidated upon logout, and we see similar 
behavior (no need to select certificate) upon re-login because the browser 
caches the user's certificate choice (and smart card PIN).  Is your session ID 
the same when you go back in?  

If you are using IE and you want to clear the browser cache to select another 
certificate, go to Tools-Internet Options, select Content tab, and click Clear 
SSL state. 

-Original Message-
From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org 
[mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On 
Behalf Of Jürgen Jakobitsch
Sent: Tuesday, September 06, 2011 3:12 PM
To: Tomcat Users List
Subject: Re: SSLSession invalidate

thanks mark,

if i understand you correct, it is simply NOT possible to invalidate the 
SSLSession of which i can get the id with 
request.getAttribute(javax.servlet.request.ssl_session)
(it works with this key in 6.0.32)

wkr turnguard

- Original Message -
From: Mark Thomas ma...@apache.org
To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate

On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
 apparently there is one, i can get it's id with 
 request.getAttribute(javax.servlet.request.ssl_session)

That is a Tomcat bug it should be javax.servlet.request.ssl_session_id

 in tomcat7 there's the possibility to use SSLSessionManager to 
 invalidate SSLSession, so i'm doing a wild guess, that something similar has 
 to be possible with tomcat6 as well.

Your wild guess is wrong. That feature is in Tomcat 7 onwards.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-- 
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22

COMPANY INFORMATION
| http://www.semantic-web.at/

PERSONAL INFORMATION
| web   : http://www.turnguard.com
| foaf  : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org