Hello,
For our project we have integrated an electronical identity card( eID)
authentication. This card contains a certificate that is used to establish
an ssl two ways connection with our apache 2.0.54. This certificate is
validated by an OCSP server.
When ssl connections is established, user's certificate is forwarded to a
J2EE application server (weblogic) which create it's own security context
throug a JAAS LoginModule.
Our problem is that we have to (we don't have the choice) unloged user when
ssl session has expired.
So my problem is to notify weblogic that ssl session has expired.
My first idea was to save SSL_SESSION_ID in my J2EE Principal and then
compare this id with the current ssl session id of the request.
So if the current id is different than the id obtained during the
authentication process then the user is unloged.
However, it seems that when I configure a virtualhost in ssl one
ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my
ssl session is renewed and
my ssl session id is different. If I configure two-ways at virtualhost level
this doesn't happen.
Is there a problem for apache to maintains ssl session if we change the ssl
type?
I read on an older post that we can't rely on SSL_SESSION_ID to know if ssl
has expired but I don't see any other way to notify my application server.
Any suggestion?
Here is my ssl.conf.For information I have specific application apart from
the main application which is responsible of the authentication.
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/home/apache-2.0.54/logs/ssl_mutex
SLRandomSeed startup builtin
<VirtualHost *:443>
ServerName host
ServerAlias host
DocumentRoot "/home/apache-2.0.54/htdocs"
SSLEngine on
SSLCipherSuite -ALL:SSLv3+HIGH:-aNULL!EXPORT56:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
# Server Certificate:
SSLCertificateFile
/home/apache-2.0.54/conf/ssl/certificate/server/host.cert
# Server Private Key:
SSLCertificateKeyFile
/home/apache-2.0.54/conf/ssl/certificate/server/privkey.key
SSLCertificateChainFile
"/home/apache-2.0.54/conf/ssl/certificate/chain/chain.pem
SSLOptions +StrictRequire +StdEnvVars +ExportCertData
RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
SSLVerifyClient none
SSLCACertificateFile
"/home/weblogic/apache-2.0.54/conf/ssl/certificate/trusted_certificate/client-trusted-list.pem"
#Application that does the authentication
<Location /Authentication>
SetHandler weblogic-handler
WebLogicCluster host:7001
</Location>
#main application that needs authentication
<Location /WebAppTestAuthentication>
SetHandler weblogic-handler
WebLogicCluster host:7001
</Location>
#Two-ways connection is only established when calling this struts action
<Location /Authentication/logineID.do >
SSLVerifyClient require
RequestHeader add WL-Proxy-SSL "true"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
Allow from all
</Location>
</VirtualHost>
----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|