https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
Summary: Client certificate gone after 1 minute timeout (SSL,
APR)
Product: Tomcat 6
Version: 6.0.26
Platform: Macintosh
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Native:Integration
AssignedTo: dev@tomcat.apache.org
ReportedBy: altum...@gmail.com
I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
Namely, the setup works perfectly (i.e. the client certificate is sent and the
servlet application can get it).
But if I allow the SSL connection to time out (it happens 1 minute after the
last request), the servlet application does not get the client certificate
anymore.
The workaround (for user) is to clear Firefox cache (Tools - Clear Recent
History - 1 hour, Active logins).
After this, the application will work again until the next timeout.
This problem does NOT occur if I use pure Java SSL config (no APR) or when I
use browser other that Firefox.
>From that you can imply that this might be a Firefox problem, but I'm not so
sure.
Firefox works perfectly with all other HTTPS sites and also pure Java SSL
config works with Firefox.
So obviously this problem occurs because Tomcat libnative fails to handle some
peculiarities of Firefox SSL packets.
Here is my exact setup:
- Debian 5 (Lenny)
- libapr1 1.2.12-5+lenny1
- openssl 0.9.8g-15+lenny6
- Tomcat 6.0.26 with tomcat-native-1.1.20
- server authentication certificates (newcert.pem, newkey-no-password.pem)
- client authentication certificates (ca.pem and a personal
certificate client1.p12)
- a simple servlet "ssltest" to get the client cert:
writer.println(Arrays.deepToString((X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate")));
- Firefox 3.6
The only change in server.xml is the connector conf:
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
SSLCertificateFile="${user.home}/newcert.pem"
SSLCertificateKeyFile="${user.home}/newkey-no-password.pem"
SSLVerifyClient="require"
SSLVerifyDepth="2"
SSLCACertificateFile="${user.home}/ssl/ca.pem"
/>
And installed ssltest.war into webapps.
Now steps to reproduce:
1) import client1.p12 into browser
2) go to https://localhost:8443/ssltest, it will show the client certificate
3) wait 1 minute
4) refresh browser - the application will not get the client certificate
(request.getAttribute("javax.servlet.request.X509Certificate") returns null)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
