-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
George,
On 6/26/15 10:04 AM, George Stanchev wrote:
> You didn't specify your Tomcat version. In Tomcat 7 or 8 or 9 we
> use the following code. Not sure if it will work on 6. For a long
> time until very recently we were stuck on 5.5 and the attribute
> below is not available. So I had to write a reflection
> introspection to drill down to the SSLSessionManager held by the
> Tomcat objects under the server request.
>
> Keep in mind the client cert implementation on the browsers is not
> uniform in behavior (in respect of resetting a session and letting
> the user chose another cert on relogin). We support FF, Chrome and
> IE and by far so far IE has been the most consistent. Later
> releases of Chrome cache the smartcard connection and resubmit the
> same cert on reconnect and nothing you can do on the server can
> change this (as far as I know). The JS-side crypto support (to
> reset the state) is poor, FF-specific and unreliable. Firefox has
> it's own set of issues.
A couple of things:
1. I find it odd that Tomcat is using the javax.servlet namespace for
an implementation-specific class. I would argue this doesn't belong
under the key that's currently being used.
2. The SSLSessionManager seems to be unique to JSSE-based
implementations of TLS in Tomcat, which means that this technique
isn't going to work if you are using tcnative and OpenSSL-based crypto.
3. This code isn't going to work under a SecurityManager unless you
make arrangements to configure the privileges for your code properly.
- -chris
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager) Method
> invalidateSessionMethod = null; Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) { try { invalidateSessionMethod =
> mgr.getClass().getMethod("invalidateSession"); if
> (invalidateSessionMethod == null) { log.error("Failed to reset SSL
> session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return
> method"); } invalidateSessionMethod.setAccessible(true); } catch
> (Throwable t) { log.error("Failed to reset SSL session: " +
> t.getMessage(), t); }
>
> // Invalidate the session try {
> invalidateSessionMethod.invoke(mgr); log.trace("SSL session reset
> successfully"); return true; } catch (Throwable t) {
> log.error("Failed to reset SSL session: invalidateSession() threw
> exception: " + t.getMessage(), t); }
>
> -----Original Message----- From: Steffen Heil (Mailinglisten)
> [mailto:li...@steffen-heil.de] Sent: Friday, June 26, 2015 2:43 AM
> To: Tomcat Users List Subject: Forcing SSL Renotiation
>
> Hi
>
>
> My tomcat installation offers pages through https only. So when
> accessing these pages, an ssl connection is established. Later on,
> a user may decide to "log in", hence hitting a page, that requires
> client certificates, and the browser pops up a selection dialog for
> a certificate. Once chosen, the server recognized the user by its
> certificate, and everything is fine. So far, so good.
>
> Now I have 2 problems:
>
> 1. When clicking "logout" in the application, the server terminates
> its internal session for that user, but the ssl connection is not
> terminated. That means, as soon as anyone clicks login again, the
> old certificate is reused. So the user cannot login using another
> certificate.
>
> 2. The second problem with that is, that if the certificate was on
> a smartcard and that card was removed, that cannot be detected.
>
> Is there any way to tell tomcat to tell the browser to drop the tls
> session state and "restart"?
>
>
> Regards, Steffen
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVjXhSAAoJEBzwKT+lPKRYBMYP/is27kGjYPqNxO8krxNxf9iO
0Y2BG9Qw/TJT0UKrT3jiBGo05UCJZ7stnvgybc0ZO3ImDigzOfW86c93lG6AjvXM
9XpwM/zAUvt5wHlftX/71eguhE1pqKLxFxLHcDBovmRV1rPVo2fn5+t9+rFpgX12
SIMCmZp8m9pjLYutryiWTjIwi96QduYAb/wKDFxhJGF/pibLFwUH9YxqUbScWJwe
FbhKjEC8RsfMgh3/UCEJDuRdPGjQlF/o5SInR7NNc92msYMEu2ruftKjG69BPxL4
+57hauBz1qfDtFjAAkb3oPtWrg/oLgqvCxiHifiWxmbp15q2kKWzTkZ5f8WegurB
xa1tJVWVKsosaWvTeRFJwDE2nMco1WYHXcm7kzhXbLvhjv7ElIDdinK8yWeAedL0
2nYQ6dzl41r/xRoPsaHkloxQMzzWSI8sCmETxEpa9GgzIdl+NPiflKA4chVWbJFe
YXOTbSCOS7WJ4JlE2l/tqeV6vzTshgb+z6eQWWKddKdu/pt4T+UuZt7NJMluV5/2
W05fWdIiZ4k3rDk4p+T7xbgGPv1sTwPWGtgNZt2CNq6vBhtwlHjNNQ/Faa56Cque
jomH8gkjjQg7eQ1W0f70aUaykVHkTK57oqjEFKn7o5xc4c3mN0oHmyyMlt23wq8g
mNoKnBMa0Zw9nNTvykcz
=0xVF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
