Hi Chris,

Some more details added below. Please let me know id any more details needed.

Rekha MS

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, November 28, 2019 7:19 PM
To: users@tomcat.apache.org
Subject: Re: FW: tomcat creating new ssl session id for same session

Hash: SHA256


On 11/28/19 01:33, rekha...@dell.com wrote:
> Thanks for your prompt reply. Please find my response inline.

It seems you forgot to include any useful responses.

> -----Original Message----- From: Christopher Schultz 
> <ch...@christopherschultz.net> Sent: Wednesday, November 27, 2019
> 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating 
> new ssl session id for same session
> Rekha,
> On 11/27/19 05:15, rekha...@dell.com wrote:
>> I am using javax.servlet.request.ssl_session_id for session 
>> validation. But tomcat creating new ssl session id and user session 
>> validation is failing.
> How are you performing the validation?
> Rekha MS: Ssl_session_id is used for validation.

Yes... HOW, exactly?
Rekha MS: ssl_session_id is validated with the previous ssl_sesion_id stored. 
For the same user session ,assumption is ssl_session_id is same for all 
But now I am seeing ssl_session_id is changing for the same user session.

> What is the order-of-events that you are observing?
> Rekha MS : Ssl_session_id is same for some requests and then it 
> changes after some time.

That was clear from your original post. I'm asking for SPECIFICS. For example, 
the TLS handshake establishes an ssl_session_id and the the next request seems 
to change the session id. Or maybe the session id changes every 30 minutes? OR 
after you suspend the OS on the client and come out of sleep?
Rekha MS: TLS handshake establishes an ssl_session_id and the next request in 
the same user session seems to change the session id

Please give some details or nobody will be able to help you.

> What version of Tomcat, and what kind of <Connector> are you using?
> Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be
> specific)

That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old 
version of Tomcat with published vulnerabilities and many many bug fixes?
Rekha MS:  I have upgraded to 9.0.21 version.

Have you read the changelog? Perhaps there are interesting things in there 
related to your issue.

Are you using OpenSSL or the pure-Java cryptographic provider?
Rekha MS :Java cryptographic provider.

>> Please let me know when tomcat creates new ssl session id and how by 
>> mandate it to use same ssl session id for same user session
> TLS session ids must change periodically when certain renegotiations 
> occur. This is actually a security feature. I'm not sure it is 
> possible to disable it entirely> Rekha MS: what triggers these 
> renegotiations?

If anything about the connection must change -- such as the server requesting a 
client certificate -- a renegotiation occurs. The session id is not required to 
change, but it may change.

The client or the server may request renegotiation at any time for any reason. 
AFAIK, Tomcat does not request renegotiation unless a client certificate is 
requested/required for authentication and the client didn't volunteer one 
during the handshake.
Rekha MS: We do not have client certificate, does this cause renegotiations to 
happen. This was not happening before. From which release is such request 
renegotiation enforced.

- -chris
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to