Re: How to notify application server that ssl sessionhasexpired

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nobody to help me (or my mail was not clear)?
Claude
----- Original Message ----- From: "Claude Libois" <claude.libois@xxxxxxxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Tuesday, December 05, 2006 11:52 AM
Subject: How to notify application server that ssl sessionhasexpired


Hello,
For our project we have integrated an electronical identity card( eID)
authentication. This card contains a certificate that is used to establish
an ssl two ways connection with our apache 2.0.54. This certificate is
validated by an OCSP server.
When ssl connections is established, user's certificate is forwarded to a
J2EE application server (weblogic) which create it's own security context
throug a JAAS LoginModule.
Our problem is that we have to (we don't have the choice) unloged user when
ssl session has expired.
So my problem is to notify weblogic that ssl session has expired.
My first idea was to save SSL_SESSION_ID in my J2EE Principal and then
compare this id with the current ssl session id of the request.
So if the current id is different than the id obtained during the
authentication process then the user is unloged.
However, it seems that when I configure a virtualhost in ssl one
ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my
ssl session is renewed and
my ssl session id is different. If I configure two-ways at virtualhost level
this doesn't happen.
Is there a problem for apache to maintains ssl session if we change the ssl
type?
I read on an older post that we can't rely on SSL_SESSION_ID to know if ssl
has expired but I don't see any other way to notify my application server.
Any suggestion?

Here is my ssl.conf.For information I have specific application apart from
the main application which is responsible of the authentication.

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex  file:/home/apache-2.0.54/logs/ssl_mutex
SLRandomSeed startup builtin
<VirtualHost *:443>
     ServerName host
     ServerAlias host
     DocumentRoot "/home/apache-2.0.54/htdocs"
     SSLEngine on
     SSLCipherSuite -ALL:SSLv3+HIGH:-aNULL!EXPORT56:RC4+RSA
     SSLProtocol -ALL +SSLv3 +TLSv1
     # Server Certificate:
     SSLCertificateFile
/home/apache-2.0.54/conf/ssl/certificate/server/host.cert
     # Server Private Key:
     SSLCertificateKeyFile
/home/apache-2.0.54/conf/ssl/certificate/server/privkey.key
     SSLCertificateChainFile
"/home/apache-2.0.54/conf/ssl/certificate/chain/chain.pem
     SSLOptions +StrictRequire +StdEnvVars +ExportCertData
     RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
     SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
     SSLVerifyClient  none
     SSLCACertificateFile
"/home/weblogic/apache-2.0.54/conf/ssl/certificate/trusted_certificate/client-trusted-list.pem"
   #Application that does the authentication
   <Location /Authentication>
     SetHandler weblogic-handler
    WebLogicCluster host:7001
   </Location>
   #main application that needs authentication
   <Location /WebAppTestAuthentication>
     SetHandler weblogic-handler
    WebLogicCluster host:7001
   </Location>
#Two-ways connection is only established when calling this struts action
     <Location /Authentication/logineID.do >
     SSLVerifyClient require
     RequestHeader add WL-Proxy-SSL "true"
     RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
     RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
     Allow from all
      </Location>

   </VirtualHost>





----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux