Dear colleagues,
I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
Namely, the setup works perfectly (i.e. the client certificate is sent
and the servlet application can get it).
But if I allow the SSL connection to time out (it happens 1 minute
after the last request), the servlet application does not get the
client certificate anymore.
The workaround is to clear Firefox cache (Tools - Clear Recent History
- 1 hour, Active logins).
After this, the application will work again until the next timeout.
This problem does NOT occur if I use pure Java SSL config (no APR) or
when I use browser other that Firefox.
>From that you can imply that this might be a Firefox problem, but I'm
not so sure.
Firefox works perfectly with all other HTTPS sites and also pure Java
SSL config works with Firefox.
So obviously this problem occurs because Tomcat libnative fails to
handle some peculiarities of Firefox SSL packets.
Here is my exact setup:
- Debian 5 (Lenny)
- libapr1 1.2.12-5+lenny1
- openssl 0.9.8g-15+lenny6
- Tomcat 6.0.24 with tomcat-native-1.1.19
- server authentication certificates (newcert.pem, newkey-no-password.pem)
- client authentication certificates (cas.crt and a personal
certificate signed by that)
- a simple servlet "ssltest" to get the client cert:
writer.println(Arrays.deepToString((X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate")));
- Firefox 3.6
The only change in server.xml is the connector conf:
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
SSLCertificateFile="${user.home}/newcert.pem"
SSLCertificateKeyFile="${user.home}/newkey-no-password.pem"
SSLVerifyClient="require"
SSLVerifyDepth="2"
SSLCACertificateFile="${user.home}/cas.crt"
/>
Now steps to reproduce:
1) go to https://localhost:8443/ssltest, it will show the client certificate
2) wait 1 minute
3) refresh browser - the application will not get the client certificate
(request.getAttribute("javax.servlet.request.X509Certificate") returns null)
I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443"
It shows that 1 minute after the last request, there will be "Read EOF
on Server socket".
After that, the problem starts occuring.
I have compared ssltap traces for Firefox and Safari.
They look pretty similar.
The only significant difference is that Safari seems to terminate the
connection by sending SSL alert packet.
In case of Firefox, it is the Tomcat server who sends the first SSL
alert packet.
I hope somebody can shed a light on that issue :)
Best Regards,
Albert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
