Re: SSL session resuming

2010-04-15 Thread Meandron80

Hi,

seems that MSIE for some reason resets the connection forcing a new SSL
session to be created. (This seems to be an TLSv1 issue as well, TLSv1.1
available with Java7 is said to be more tolerant on that). I don't know
whether this behavior of MSIE can be influenced. 

Regards,
Matthias



Meandron80 wrote:
 
 Hi,
 
 I have a problem with tomcat SSL session resuming using MSIE. In my
 webapp, user authentication is done using the
 org.apache.catalina.authenticator.SingleSignOn valve and a corresponding
 realm (PKI authentication). Now accessing the webapp, which uses a
 frameset that might be part of the problem, results in the following logs.
 
 *** ClientHello, TLSv1
 RandomCookie:  GMT: 1254330738 bytes = { 67, 136, 202, 169, 151, 124, 142,
 187, 135, 183, 161, 157, 81, 240, 254, 21, 180, 139, 139, 46, 32, 65, 155,
 230, 69, 24, 175, 180 }
 Session ID:  {75, 196, 142, 249, 121, 35, 217, 254, 49, 37, 92, 86, 255,
 220, 61, 188, 8, 128, 86, 203, 172, 93, 103, 185, 114, 43, 169, 80, 236,
 96, 181, 108}
 Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
 SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
 SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
 SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
 Compression Methods:  { 0 }
 ***
 %% Created:  [Session-28, SSL_RSA_WITH_RC4_128_MD5]
 *** ServerHello, TLSv1
 RandomCookie:  GMT: 1254330670 bytes = { 70, 109, 88, 141, 114, 86, 38,
 165, 172, 3, 134, 203, 86, 192, 194, 212, 222, 116, 116, 70, 224, 228,
 141, 46, 205, 21, 60, 245 }
 Session ID:  {75, 196, 145, 46, 223, 171, 82, 104, 96, 0, 209, 75, 145,
 92, 61, 143, 30, 199, 157, 239, 160, 76, 28, 177, 71, 221, 98, 117, 244,
 137, 146, 126}
 
 As you can see, the MSIE client wants to resume the SSL session, but a new
 one is created every time a new request is sent. In the logs I can also
 see entries like the following:
 
 http-8444-5, handling exception: java.net.SocketException: Connection
 reset
 %% Invalidated:  [Session-27, SSL_RSA_WITH_RC4_128_MD5]
 http-8444-5, SEND TLSv1 ALERT:  fatal, description = unexpected_message
 
 Seems, the socket is closed after every request resulting in a new SSL
 handshake. 
 
 Here is my connector setup:
 
 Connector port=8444 maxHttpHeaderSize=16384 bufferSize=16384
  protocol=org.apache.coyote.http11.Http11Protocol 
maxThreads=150 enableLookups=false
 disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=true
sslProtocol=TLSv1 
connectionTimeout=24
  SSLEnabled=true keystoreFile=someFile
 keystorePass=somePass keystoreType=pkcs12 truststoreFile=someFile
 truststorePass=somePass truststoreType=jks /
 
 The strange thing is that everything works as expected using Firefox, i.e.
 the SSL session is resumed for subsequent requests. But I need to get it
 run on MSIE as well. 
 
 Thanks for any help on that!
 
 Regards,
 Matthias
 

-- 
View this message in context: 
http://old.nabble.com/SSL-session-resuming-tp28232164p28256674.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



SSL session resuming

2010-04-13 Thread Meandron80

Hi,

I have a problem with tomcat SSL session resuming using MSIE. In my webapp,
user authentication is done using the
org.apache.catalina.authenticator.SingleSignOn valve and a corresponding
realm (PKI authentication). Now accessing the webapp, which uses a frameset
that might be part of the problem, results in the following logs.

*** ClientHello, TLSv1
RandomCookie:  GMT: 1254330738 bytes = { 67, 136, 202, 169, 151, 124, 142,
187, 135, 183, 161, 157, 81, 240, 254, 21, 180, 139, 139, 46, 32, 65, 155,
230, 69, 24, 175, 180 }
Session ID:  {75, 196, 142, 249, 121, 35, 217, 254, 49, 37, 92, 86, 255,
220, 61, 188, 8, 128, 86, 203, 172, 93, 103, 185, 114, 43, 169, 80, 236, 96,
181, 108}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
***
%% Created:  [Session-28, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1254330670 bytes = { 70, 109, 88, 141, 114, 86, 38, 165,
172, 3, 134, 203, 86, 192, 194, 212, 222, 116, 116, 70, 224, 228, 141, 46,
205, 21, 60, 245 }
Session ID:  {75, 196, 145, 46, 223, 171, 82, 104, 96, 0, 209, 75, 145, 92,
61, 143, 30, 199, 157, 239, 160, 76, 28, 177, 71, 221, 98, 117, 244, 137,
146, 126}

As you can see, the MSIE client wants to resume the SSL session, but a new
one is created every time a new request is sent. In the logs I can also see
entries like the following:

http-8444-5, handling exception: java.net.SocketException: Connection reset
%% Invalidated:  [Session-27, SSL_RSA_WITH_RC4_128_MD5]
http-8444-5, SEND TLSv1 ALERT:  fatal, description = unexpected_message

Seems, the socket is closed after every request resulting in a new SSL
handshake. 

Here is my connector setup:

Connector port=8444 maxHttpHeaderSize=16384 bufferSize=16384
   protocol=org.apache.coyote.http11.Http11Protocol 
   maxThreads=150 enableLookups=false
disableUploadTimeout=true
   acceptCount=100 scheme=https secure=true
   clientAuth=true
   sslProtocol=TLSv1 
   connectionTimeout=24
   SSLEnabled=true keystoreFile=someFile 
keystorePass=somePass
keystoreType=pkcs12 truststoreFile=someFile truststorePass=somePass
truststoreType=jks /

The strange thing is that everything works as expected using Firefox, i.e.
the SSL session is resumed for subsequent requests. But I need to get it run
on MSIE as well. 

Thanks for any help on that!

Regards,
Matthias
-- 
View this message in context: 
http://old.nabble.com/SSL-session-resuming-tp28232164p28232164.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org