On 13/02/2013 18:49, Will Nordmeyer wrote:
> I have a scenario right now I need help with.
> My Tomcat is configured for SSL, client certificate authorization and
> Certificate Revocation List checking (all outside certificates).
> We have a scenario (we've found in testing) where we do a transaction
> in our application, then the user pulls his smart card out (client
> certificate) and a new user comes up and puts his card in.  Tomcat
> isn't recognizing that a new certificate is in place and is allowing
> the new user, with the new certificate to transact without validating
> his credentials.
> It appears as if the old session is being utilized still by the client
> (windows or unix, firefox or IE) and Tomcat.  Which seems very odd.
> I would have expected the new cert would have forced a new SSL session
> to be created and tomcat to puke at an attempt to submit a transaction
> on the old session.
> Any thoughts/advice/guidance?

Use wireshark. If you provide it with your server's private key (should
be doable in a test environment) you'll be able to see exactly what is
(or isn't) going on.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to