Nothing is going on.  When the smartcard is removed, nothing goes across
the wire, so how could Tomcat possibly invalidate the session? 

-----Original Message-----
On Behalf Of Mark Thomas
Sent: Wednesday, February 13, 2013 11:36 AM
To: Tomcat Users List
Subject: Re: SSL Session Caching

On 13/02/2013 18:49, Will Nordmeyer wrote:
> I have a scenario right now I need help with.
> My Tomcat is configured for SSL, client certificate authorization and 
> Certificate Revocation List checking (all outside certificates).
> We have a scenario (we've found in testing) where we do a transaction 
> in our application, then the user pulls his smart card out (client
> certificate) and a new user comes up and puts his card in.  Tomcat 
> isn't recognizing that a new certificate is in place and is allowing 
> the new user, with the new certificate to transact without validating 
> his credentials.
> It appears as if the old session is being utilized still by the client

> (windows or unix, firefox or IE) and Tomcat.  Which seems very odd.
> I would have expected the new cert would have forced a new SSL session

> to be created and tomcat to puke at an attempt to submit a transaction

> on the old session.
> Any thoughts/advice/guidance?

Use wireshark. If you provide it with your server's private key (should
be doable in a test environment) you'll be able to see exactly what is
(or isn't) going on.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to