-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Albert,
On 2/22/2010 7:16 AM, Albert Tumanov wrote: > I'm chasing a strange problem with Tomcat + SSL + APR + Firefox. > > Namely, the setup works perfectly (i.e. the client certificate is sent > and the servlet application can get it). > But if I allow the SSL connection to time out (it happens 1 minute > after the last request), the servlet application does not get the > client certificate anymore. Are you keeping an SSL connection for a long time? Or, do you mean that if you wait for slightly longer than 1 minute after the last SSL request to make another one, the client certificate does not get delivered to Tomcat? > 1) go to https://localhost:8443/ssltest, it will show the client certificate Does the request complete successfully at this point: meaning that the TCP/IP connection is closed and you get all the bytes you expected from the server? > 2) wait 1 minute > 3) refresh browser - the application will not get the client certificate > (request.getAttribute("javax.servlet.request.X509Certificate") returns null) I'm no SSL expert, but these two requests ought to be completely independent of each other: the client certificate should always be sent. > I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443" > It shows that 1 minute after the last request, there will be "Read EOF > on Server socket". 1 minute after step #1 above, or step #3? In step #3, is the client certificate sent by the browser or not? > After that, the problem starts occuring. > > I have compared ssltap traces for Firefox and Safari. > They look pretty similar. > The only significant difference is that Safari seems to terminate the > connection by sending SSL alert packet. Terminates which connection? #1 or #3? > In case of Firefox, it is the Tomcat server who sends the first SSL > alert packet. Strange... - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuEJNsACgkQ9CaO5/Lv0PCBXgCeL8ta3ZzmIg3f1LWkJz9QePN1 /JwAoITs0gccpdOkFBOnk/IJR0eJ8Rh2 =eZ/C -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org