SSL Session Id lost?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I configure Apache server with SSL and mod_jk. I have been asking in the Tomcat/mod_jk mailing list and after several discussion it seems that there is something strange (may be it is correct of course but we don't understand why) in Apache HTTPD side.

I am configuring the typical Apache as frontend and TomEE(Tomcat) as backend solution. Currently Apache is configured with SSL and with mod_jk it connects to TomEE using AJP. This works perfectly. The problem is that inside my code I need to get the ssl session id:

String ssl = (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");

I don't know why but sometimes this attribute is null and sometimes not. It may return a null at first requests then stay like 10 requests working and then stop working again during some requests and the get attribute returns null.

It seems that everything is configured correctly since sometimes works. Have you ever found something similar or knows what it can be happening? Do you think that maybe the problem is on client (browser) side?

We say that there is something in Apache Httpd since I have modified what was printed in access_log file to print the ssl session id as second parameter. And I get next:

(LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")

HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello HTTP/1.1" 200 89

HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb 172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1" 200 209

Notice that the first request does not contain the SSL SESSION ID although of course I have accessed using https protocol. Then after several retries (basically refreshing the browser) the ssl session id appear in the log and of course then it can be retrieved in Java part. So it seems that there is something related in httpd (maybe there is an explanation) to know why at first queries httpd doesn't set ssl session id and after some time it starts to do it.

Everything is dockerized here: https://github.com/lordofthejars/apache-tomee-ssl so you can review configuration files of tomcat and httpd or even run it. You can read if you want all the discussion in Tomcat mailing list in http://mail-archives.apache.org/mod_mbox/tomcat-users/201507.mbox/browser

Thank you so much for your support.



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux