Re: Client certificate gone after 1 minute timeout (SSL, APR)

Tue, 23 Feb 2010 10:57:00 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Albert,

On 2/22/2010 7:16 AM, Albert Tumanov wrote:
> I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
> 
> Namely, the setup works perfectly (i.e. the client certificate is sent
> and the servlet application can get it).
> But if I allow the SSL connection to time out (it happens 1 minute
> after the last request), the servlet application does not get the
> client certificate anymore.

Are you keeping an SSL connection for a long time? Or, do you mean that
if you wait for slightly longer than 1 minute after the last SSL request
to make another one, the client certificate does not get delivered to
Tomcat?

> 1) go to https://localhost:8443/ssltest, it will show the client certificate

Does the request complete successfully at this point: meaning that the
TCP/IP connection is closed and you get all the bytes you expected from
the server?

> 2) wait 1 minute
> 3) refresh browser - the application will not get the client certificate
>  (request.getAttribute("javax.servlet.request.X509Certificate") returns null)

I'm no SSL expert, but these two requests ought to be completely
independent of each other: the client certificate should always be sent.

> I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443"
> It shows that 1 minute after the last request, there will be "Read EOF
> on Server socket".

1 minute after step #1 above, or step #3?

In step #3, is the client certificate sent by the browser or not?

> After that, the problem starts occuring.
> 
> I have compared ssltap traces for Firefox and Safari.
> They look pretty similar.
> The only significant difference is that Safari seems to terminate the
> connection by sending SSL alert packet.

Terminates which connection? #1 or #3?

> In case of Firefox, it is the Tomcat server who sends the first SSL
> alert packet.

Strange...

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuEJNsACgkQ9CaO5/Lv0PCBXgCeL8ta3ZzmIg3f1LWkJz9QePN1
/JwAoITs0gccpdOkFBOnk/IJR0eJ8Rh2
=eZ/C
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to