RE: FW: tomcat creating new ssl session id for same session
Hi Chris, Some more details added below. Please let me know id any more details needed. Thanks, Rekha MS -Original Message- From: Christopher Schultz Sent: Thursday, November 28, 2019 7:19 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating new ssl session id for same session -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/28/19 01:33, rekha...@dell.com wrote: > Thanks for your prompt reply. Please find my response inline. It seems you forgot to include any useful responses. > -Original Message- From: Christopher Schultz > Sent: Wednesday, November 27, 2019 > 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating > new ssl session id for same session > > Rekha, > > On 11/27/19 05:15, rekha...@dell.com wrote: >> I am using javax.servlet.request.ssl_session_id for session >> validation. But tomcat creating new ssl session id and user session >> validation is failing. > > How are you performing the validation? > > Rekha MS: Ssl_session_id is used for validation. Yes... HOW, exactly? Rekha MS: ssl_session_id is validated with the previous ssl_sesion_id stored. For the same user session ,assumption is ssl_session_id is same for all requests. But now I am seeing ssl_session_id is changing for the same user session. > What is the order-of-events that you are observing? > > Rekha MS : Ssl_session_id is same for some requests and then it > changes after some time. That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake establishes an ssl_session_id and the the next request seems to change the session id. Or maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and come out of sleep? Rekha MS: TLS handshake establishes an ssl_session_id and the next request in the same user session seems to change the session id Please give some details or nobody will be able to help you. > What version of Tomcat, and what kind of are you using? > > Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be > specific) That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat with published vulnerabilities and many many bug fixes? Rekha MS: I have upgraded to 9.0.21 version. Have you read the changelog? Perhaps there are interesting things in there related to your issue. Are you using OpenSSL or the pure-Java cryptographic provider? Rekha MS :Java cryptographic provider. >> Please let me know when tomcat creates new ssl session id and how by >> mandate it to use same ssl session id for same user session > > TLS session ids must change periodically when certain renegotiations > occur. This is actually a security feature. I'm not sure it is > possible to disable it entirely> Rekha MS: what triggers these > renegotiations? If anything about the connection must change -- such as the server requesting a client certificate -- a renegotiation occurs. The session id is not required to change, but it may change. The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat does not request renegotiation unless a client certificate is requested/required for authentication and the client didn't volunteer one during the handshake. Rekha MS: We do not have client certificate, does this cause renegotiations to happen. This was not happening before. From which release is such request renegotiation enforced. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3f0GEACgkQHPApP6U8 pFgz0Q/+Ltbz35ZyHwGU1eupyP7K921l3FNVssH/PAbuX82aZhAZFVM19vaRXTDX vQJrAV4OBF8CSXZ45McjPVaBjensuK2cGbPc46LCXNtGEkB8hjoMH1EayCDc8K8k PaXgQKWczsitcd7dchjQOV6inK3CTwjD9yK93eUrAlJDbzjUbTOoMVf4Z1XmrOJw /k2Y1Om8140br9EkEgIELTQr72OcbGPsQTEl780Gq2kFv1PC8mxgbpNZbqCsvmPa YDMQLEstlmmaF+yztL46EGRVbVopxcJLT4kpkr4/Qk5Al6weVRlvZInaDyXJn9IJ t3k5cDHhAUG4Tv477zHche+aexDimmlsMA8FKclp30iV4h8383TCURXEQkGEmnm9 Y+Kx9lneWuwCIuNJvdInl7seao9iCaWuuYbekVhpBkk9sLLO++HzFe0+w4kSqZ8y qPV+ttmXt7kwkFbzXvlyrbs8GAEIX+H1m/vVa+OQghF27Qg8hnG2NiV6VsfU8/2i DCfUp9+EjD6w5V+mEuNjZTo9+Miz5Cxl42G2QmbcojE0HiPDZ073gRwT60qJJvxp APCmjIi5XT/yGjw/RUUR9Lxh4wNzdZF7uEduRyYJtkkc2pvVtiGW8ZWoW0UL3M/T nznBlddv7I0SqtvHGpnye+lMZXwhNEAm6sat0/UzxVfGeaLjlgY= =D24+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: FW: tomcat creating new ssl session id for same session
Thanks for your prompt reply. Please find my response inline. -Original Message- From: Christopher Schultz Sent: Wednesday, November 27, 2019 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating new ssl session id for same session -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/27/19 05:15, rekha...@dell.com wrote: > I am using javax.servlet.request.ssl_session_id for session > validation. But tomcat creating new ssl session id and user session > validation is failing. How are you performing the validation? Rekha MS: Ssl_session_id is used for validation. What is the order-of-events that you are observing? Rekha MS : Ssl_session_id is same for some requests and then it changes after some time. What version of Tomcat, and what kind of are you using? Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be specific) > Please let me know when tomcat creates new ssl session id and how by > mandate it to use same ssl session id for same user session TLS session ids must change periodically when certain renegotiations occur. This is actually a security feature. I'm not sure it is possible to disable it entirely Rekha MS: what triggers these renegotiations? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3etiEACgkQHPApP6U8 pFiKsg/+MSt/JOsbkOtL/x9z9RDV85HQtj3oQK6GQY5bp66ZTsZZugkwEbUdg8wb 3IDrw4qYuuyGs+PXqqjKwd76Td9EVWYBUEbtw3HPmOx2g0g3XsfTEgKetMRSyJrh Xh6vTFb9PPwlR1Lozv+OAkQXIradAZUXxHxWY6lcR1ox1X8A8VlnzTKA1oPBL+qk 1q6coOcNuhSJ2DjFFCmaBBp75qBQMFRvcIQacChQEfT1oFdFWkt22L8tmwLF3bKZ gb8Tc4ohDkwWZUeSeiq6p6dIN8LhK7q40rJH3akEwQJGrD3dPoSojwGiLKXvOMkj 2czFC4SdJ6MJnjxh57LvKlcxwIP+heEIpF1lscGjfZn+sSzzVDRLZkgkV0hXF4aG uDIKLvETzW88mE4ddfxHICf6IAsLcz6aSR2TaGlJdNgNnsbOooLJc6+cyoA3M1oc 1FpvyzSZsckKpA6KRKqOtNlvveDSgtrTr7EmgK0a2pjAiaq69zxttGfyyOwcKIQw aozuJBRH4mtP1HAT+4EKeUAUHtuPUXeGMJwoFa4MDMu2+HT9krIFB9kcixDuPy5k 6CFfPkXcVCN+XcChWYrI9HJ0vKRh0DzVVEB14RG/8V+oSXUM0+imJdC2I4QFBI0r y1ssOJkam+ZzP+fc5Mz1v/hbbLmX2Y1pe4d/FLNF91l+IXRsKOY= =J9i5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: FW: tomcat creating new ssl session id for same session
On 29.11.2019 06:59, rekha...@dell.com wrote: Highly Restricted - Confidential ... Then maybe a public list, which is also archived for years in various places, is not the best communication channel ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: FW: tomcat creating new ssl session id for same session
Highly Restricted - Confidential Hi Chris, Some more details added below. Please let me know id any more details needed. Thanks, Rekha MS -Original Message- From: Christopher Schultz Sent: Thursday, November 28, 2019 7:19 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating new ssl session id for same session -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/28/19 01:33, rekha...@dell.com wrote: > Thanks for your prompt reply. Please find my response inline. It seems you forgot to include any useful responses. > -Original Message- From: Christopher Schultz > Sent: Wednesday, November 27, 2019 > 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating > new ssl session id for same session > > Rekha, > > On 11/27/19 05:15, rekha...@dell.com wrote: >> I am using javax.servlet.request.ssl_session_id for session >> validation. But tomcat creating new ssl session id and user session >> validation is failing. > > How are you performing the validation? > > Rekha MS: Ssl_session_id is used for validation. Yes... HOW, exactly? Rekha MS: ssl_session_id is validated with the previous ssl_sesion_id stored. For the same user session ,assumption is ssl_session_id is same for all requests. But now I am seeing ssl_session_id is changing for the same user session. > What is the order-of-events that you are observing? > > Rekha MS : Ssl_session_id is same for some requests and then it > changes after some time. That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake establishes an ssl_session_id and the the next request seems to change the session id. Or maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and come out of sleep? Rekha MS: TLS handshake establishes an ssl_session_id and the next request in the same user session seems to change the session id Please give some details or nobody will be able to help you. > What version of Tomcat, and what kind of are you using? > > Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be > specific) That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat with published vulnerabilities and many many bug fixes? Rekha MS: I have upgraded to 9.0.21 version. Have you read the changelog? Perhaps there are interesting things in there related to your issue. Are you using OpenSSL or the pure-Java cryptographic provider? Rekha MS :Java cryptographic provider. >> Please let me know when tomcat creates new ssl session id and how by >> mandate it to use same ssl session id for same user session > > TLS session ids must change periodically when certain renegotiations > occur. This is actually a security feature. I'm not sure it is > possible to disable it entirely> Rekha MS: what triggers these > renegotiations? If anything about the connection must change -- such as the server requesting a client certificate -- a renegotiation occurs. The session id is not required to change, but it may change. The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat does not request renegotiation unless a client certificate is requested/required for authentication and the client didn't volunteer one during the handshake. Rekha MS: We do not have client certificate, does this cause renegotiations to happen. This was not happening before. From which release is such request renegotiation enforced. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3f0GEACgkQHPApP6U8 pFgz0Q/+Ltbz35ZyHwGU1eupyP7K921l3FNVssH/PAbuX82aZhAZFVM19vaRXTDX vQJrAV4OBF8CSXZ45McjPVaBjensuK2cGbPc46LCXNtGEkB8hjoMH1EayCDc8K8k PaXgQKWczsitcd7dchjQOV6inK3CTwjD9yK93eUrAlJDbzjUbTOoMVf4Z1XmrOJw /k2Y1Om8140br9EkEgIELTQr72OcbGPsQTEl780Gq2kFv1PC8mxgbpNZbqCsvmPa YDMQLEstlmmaF+yztL46EGRVbVopxcJLT4kpkr4/Qk5Al6weVRlvZInaDyXJn9IJ t3k5cDHhAUG4Tv477zHche+aexDimmlsMA8FKclp30iV4h8383TCURXEQkGEmnm9 Y+Kx9lneWuwCIuNJvdInl7seao9iCaWuuYbekVhpBkk9sLLO++HzFe0+w4kSqZ8y qPV+ttmXt7kwkFbzXvlyrbs8GAEIX+H1m/vVa+OQghF27Qg8hnG2NiV6VsfU8/2i DCfUp9+EjD6w5V+mEuNjZTo9+Miz5Cxl42G2QmbcojE0HiPDZ073gRwT60qJJvxp APCmjIi5XT/yGjw/RUUR9Lxh4wNzdZF7uEduRyYJtkkc2pvVtiGW8ZWoW0UL3M/T nznBlddv7I0SqtvHGpnye+lMZXwhNEAm6sat0/UzxVfGeaLjlgY= =D24+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FW: tomcat creating new ssl session id for same session
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/28/19 01:33, rekha...@dell.com wrote: > Thanks for your prompt reply. Please find my response inline. It seems you forgot to include any useful responses. > -Original Message- From: Christopher Schultz > Sent: Wednesday, November 27, 2019 > 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat > creating new ssl session id for same session > > Rekha, > > On 11/27/19 05:15, rekha...@dell.com wrote: >> I am using javax.servlet.request.ssl_session_id for session >> validation. But tomcat creating new ssl session id and user >> session validation is failing. > > How are you performing the validation? > > Rekha MS: Ssl_session_id is used for validation. Yes... HOW, exactly? > What is the order-of-events that you are observing? > > Rekha MS : Ssl_session_id is same for some requests and then it > changes after some time. That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake establishes an ssl_session_id and the the next request seems to change the session id. Or maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and come out of sleep? Please give some details or nobody will be able to help you. > What version of Tomcat, and what kind of are you > using? > > Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be > specific) That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat with published vulnerabilities and many many bug fixes? Have you read the changelog? Perhaps there are interesting things in there related to your issue. Are you using OpenSSL or the pure-Java cryptographic provider? >> Please let me know when tomcat creates new ssl session id and how >> by mandate it to use same ssl session id for same user session > > TLS session ids must change periodically when certain > renegotiations occur. This is actually a security feature. I'm not > sure it is possible to disable it entirely> Rekha MS: what triggers > these renegotiations? If anything about the connection must change -- such as the server requesting a client certificate -- a renegotiation occurs. The session id is not required to change, but it may change. The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat does not request renegotiation unless a client certificate is requested/required for authentication and the client didn't volunteer one during the handshake. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3f0GEACgkQHPApP6U8 pFgz0Q/+Ltbz35ZyHwGU1eupyP7K921l3FNVssH/PAbuX82aZhAZFVM19vaRXTDX vQJrAV4OBF8CSXZ45McjPVaBjensuK2cGbPc46LCXNtGEkB8hjoMH1EayCDc8K8k PaXgQKWczsitcd7dchjQOV6inK3CTwjD9yK93eUrAlJDbzjUbTOoMVf4Z1XmrOJw /k2Y1Om8140br9EkEgIELTQr72OcbGPsQTEl780Gq2kFv1PC8mxgbpNZbqCsvmPa YDMQLEstlmmaF+yztL46EGRVbVopxcJLT4kpkr4/Qk5Al6weVRlvZInaDyXJn9IJ t3k5cDHhAUG4Tv477zHche+aexDimmlsMA8FKclp30iV4h8383TCURXEQkGEmnm9 Y+Kx9lneWuwCIuNJvdInl7seao9iCaWuuYbekVhpBkk9sLLO++HzFe0+w4kSqZ8y qPV+ttmXt7kwkFbzXvlyrbs8GAEIX+H1m/vVa+OQghF27Qg8hnG2NiV6VsfU8/2i DCfUp9+EjD6w5V+mEuNjZTo9+Miz5Cxl42G2QmbcojE0HiPDZ073gRwT60qJJvxp APCmjIi5XT/yGjw/RUUR9Lxh4wNzdZF7uEduRyYJtkkc2pvVtiGW8ZWoW0UL3M/T nznBlddv7I0SqtvHGpnye+lMZXwhNEAm6sat0/UzxVfGeaLjlgY= =D24+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: FW: tomcat creating new ssl session id for same session
Highly Restricted - Confidential Thanks for your prompt reply. Please find my response inline. -Original Message- From: Christopher Schultz Sent: Wednesday, November 27, 2019 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating new ssl session id for same session -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/27/19 05:15, rekha...@dell.com wrote: > I am using javax.servlet.request.ssl_session_id for session > validation. But tomcat creating new ssl session id and user session > validation is failing. How are you performing the validation? Rekha MS: Ssl_session_id is used for validation. What is the order-of-events that you are observing? Rekha MS : Ssl_session_id is same for some requests and then it changes after some time. What version of Tomcat, and what kind of are you using? Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be specific) > Please let me know when tomcat creates new ssl session id and how by > mandate it to use same ssl session id for same user session TLS session ids must change periodically when certain renegotiations occur. This is actually a security feature. I'm not sure it is possible to disable it entirely Rekha MS: what triggers these renegotiations? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3etiEACgkQHPApP6U8 pFiKsg/+MSt/JOsbkOtL/x9z9RDV85HQtj3oQK6GQY5bp66ZTsZZugkwEbUdg8wb 3IDrw4qYuuyGs+PXqqjKwd76Td9EVWYBUEbtw3HPmOx2g0g3XsfTEgKetMRSyJrh Xh6vTFb9PPwlR1Lozv+OAkQXIradAZUXxHxWY6lcR1ox1X8A8VlnzTKA1oPBL+qk 1q6coOcNuhSJ2DjFFCmaBBp75qBQMFRvcIQacChQEfT1oFdFWkt22L8tmwLF3bKZ gb8Tc4ohDkwWZUeSeiq6p6dIN8LhK7q40rJH3akEwQJGrD3dPoSojwGiLKXvOMkj 2czFC4SdJ6MJnjxh57LvKlcxwIP+heEIpF1lscGjfZn+sSzzVDRLZkgkV0hXF4aG uDIKLvETzW88mE4ddfxHICf6IAsLcz6aSR2TaGlJdNgNnsbOooLJc6+cyoA3M1oc 1FpvyzSZsckKpA6KRKqOtNlvveDSgtrTr7EmgK0a2pjAiaq69zxttGfyyOwcKIQw aozuJBRH4mtP1HAT+4EKeUAUHtuPUXeGMJwoFa4MDMu2+HT9krIFB9kcixDuPy5k 6CFfPkXcVCN+XcChWYrI9HJ0vKRh0DzVVEB14RG/8V+oSXUM0+imJdC2I4QFBI0r y1ssOJkam+ZzP+fc5Mz1v/hbbLmX2Y1pe4d/FLNF91l+IXRsKOY= =J9i5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FW: tomcat creating new ssl session id for same session
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rekha, On 11/27/19 05:15, rekha...@dell.com wrote: > I am using javax.servlet.request.ssl_session_id for session > validation. But tomcat creating new ssl session id and user > session validation is failing. How are you performing the validation? What is the order-of-events that you are observing? What version of Tomcat, and what kind of are you using? > Please let me know when tomcat creates new ssl session id and how > by mandate it to use same ssl session id for same user session TLS session ids must change periodically when certain renegotiations occur. This is actually a security feature. I'm not sure it is possible to disable it entirely - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3etiEACgkQHPApP6U8 pFiKsg/+MSt/JOsbkOtL/x9z9RDV85HQtj3oQK6GQY5bp66ZTsZZugkwEbUdg8wb 3IDrw4qYuuyGs+PXqqjKwd76Td9EVWYBUEbtw3HPmOx2g0g3XsfTEgKetMRSyJrh Xh6vTFb9PPwlR1Lozv+OAkQXIradAZUXxHxWY6lcR1ox1X8A8VlnzTKA1oPBL+qk 1q6coOcNuhSJ2DjFFCmaBBp75qBQMFRvcIQacChQEfT1oFdFWkt22L8tmwLF3bKZ gb8Tc4ohDkwWZUeSeiq6p6dIN8LhK7q40rJH3akEwQJGrD3dPoSojwGiLKXvOMkj 2czFC4SdJ6MJnjxh57LvKlcxwIP+heEIpF1lscGjfZn+sSzzVDRLZkgkV0hXF4aG uDIKLvETzW88mE4ddfxHICf6IAsLcz6aSR2TaGlJdNgNnsbOooLJc6+cyoA3M1oc 1FpvyzSZsckKpA6KRKqOtNlvveDSgtrTr7EmgK0a2pjAiaq69zxttGfyyOwcKIQw aozuJBRH4mtP1HAT+4EKeUAUHtuPUXeGMJwoFa4MDMu2+HT9krIFB9kcixDuPy5k 6CFfPkXcVCN+XcChWYrI9HJ0vKRh0DzVVEB14RG/8V+oSXUM0+imJdC2I4QFBI0r y1ssOJkam+ZzP+fc5Mz1v/hbbLmX2Y1pe4d/FLNF91l+IXRsKOY= =J9i5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org