Hi Steffen You didn't specify your Tomcat version. In Tomcat 7 or 8 or 9 we use the following code. Not sure if it will work on 6. For a long time until very recently we were stuck on 5.5 and the attribute below is not available. So I had to write a reflection introspection to drill down to the SSLSessionManager held by the Tomcat objects under the server request.
Keep in mind the client cert implementation on the browsers is not uniform in behavior (in respect of resetting a session and letting the user chose another cert on relogin). We support FF, Chrome and IE and by far so far IE has been the most consistent. Later releases of Chrome cache the smartcard connection and resubmit the same cert on reconnect and nothing you can do on the server can change this (as far as I know). The JS-side crypto support (to reset the state) is poor, FF-specific and unreliable. Firefox has it's own set of issues. George [1] // Invalidate the SSL Session (org.apache.tomcat.util.net.SSLSessionManager) Method invalidateSessionMethod = null; Object mgr = httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr"); if (mgr != null) { try { invalidateSessionMethod = mgr.getClass().getMethod("invalidateSession"); if (invalidateSessionMethod == null) { log.error("Failed to reset SSL session: Method invalidateSessionMethod = mgr.getClass().getMethod(\"invalidateSession\") failed to return method"); } invalidateSessionMethod.setAccessible(true); } catch (Throwable t) { log.error("Failed to reset SSL session: " + t.getMessage(), t); } // Invalidate the session try { invalidateSessionMethod.invoke(mgr); log.trace("SSL session reset successfully"); return true; } catch (Throwable t) { log.error("Failed to reset SSL session: invalidateSession() threw exception: " + t.getMessage(), t); } -----Original Message----- From: Steffen Heil (Mailinglisten) [mailto:li...@steffen-heil.de] Sent: Friday, June 26, 2015 2:43 AM To: Tomcat Users List Subject: Forcing SSL Renotiation Hi My tomcat installation offers pages through https only. So when accessing these pages, an ssl connection is established. Later on, a user may decide to "log in", hence hitting a page, that requires client certificates, and the browser pops up a selection dialog for a certificate. Once chosen, the server recognized the user by its certificate, and everything is fine. So far, so good. Now I have 2 problems: 1. When clicking "logout" in the application, the server terminates its internal session for that user, but the ssl connection is not terminated. That means, as soon as anyone clicks login again, the old certificate is reused. So the user cannot login using another certificate. 2. The second problem with that is, that if the certificate was on a smartcard and that card was removed, that cannot be detected. Is there any way to tell tomcat to tell the browser to drop the tls session state and "restart"? Regards, Steffen