You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alex Soto <as...@gmail.com> on 2015/07/23 15:50:50 UTC
[users@httpd] SSL Session Id lost?
Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in
fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
configure Apache server with SSL and mod_jk. I have been asking in the
Tomcat/mod_jk mailing list and after several discussion it seems that there
is something strange (may be it is correct of course but we don't
understand why) in Apache HTTPD side.
I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with mod_jk
it connects to TomEE using AJP. This works perfectly. The problem is that
inside my code I need to get the ssl session id:
String ssl =
(String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
I don't know why but sometimes this attribute is null and sometimes not. It
may return a null at first requests then stay like 10 requests working and
then stop working again during some requests and the get attribute returns
null.
It seems that everything is configured correctly since sometimes works.
Have you ever found something similar or knows what it can be happening? Do
you think that maybe the problem is on client (browser) side?
We say that there is something in Apache Httpd since I have modified what
was printed in access_log file to print the ssl session id as second
parameter. And I get next:
(LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
HTTP/1.1" 200 89
HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
200 209
Notice that the first request does not contain the SSL SESSION ID although
of course I have accessed using https protocol. Then after several retries
(basically refreshing the browser) the ssl session id appear in the log and
of course then it can be retrieved in Java part. So it seems that there is
something related in httpd (maybe there is an explanation) to know why at
first queries httpd doesn't set ssl session id and after some time it
starts to do it.
Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and httpd or even run it. You can read if you
want all the discussion in Tomcat mailing list in
http://mail-archives.apache.org/mod_mbox/tomcat-users/201507.mbox/browser
Thank you so much for your support.
Re: [users@httpd] SSL Session Id lost?
Posted by Alex Soto <as...@gmail.com>.
Ok finally it was the combination of the flag you mention with other flags.
Now everything works, thank you so much.
Alex.
El dv., 24 jul. 2015 a les 9:51, Alex Soto (<as...@gmail.com>) va
escriure:
> Hi I have tried to put SSLSessionTickets off to httpd.conf and
> httpd-ssl.conf but the result is still the same.
>
> Regards,
> Alex.
>
> El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (<yl...@gmail.com>) va
> escriure:
>
>> On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto <as...@gmail.com> wrote:
>> >
>> > It seems that everything is configured correctly since sometimes works.
>> Have
>> > you ever found something similar or knows what it can be happening? Do
>> you
>> > think that maybe the problem is on client (browser) side?
>> >
>> > We say that there is something in Apache Httpd since I have modified
>> what
>> > was printed in access_log file to print the ssl session id as second
>> > parameter. And I get next:
>> >
>> > (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
>> >
>> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET
>> /hello/hello
>> > HTTP/1.1" 200 89
>>
>> This is because the SSL_SESSION_ID is not always available on the TLS
>> side, when session tickets are used at first.
>>
>> It's up to the client to generate (or not) a session ID, which is only
>> available on the first session resumption.
>>
>> https://tools.ietf.org/html/rfc5077#section-3.4 for the details.
>>
>> You may configure "SSLSessionTickets off" to disable session tickets
>> management in TLS (using session IDs only).
>>
>> Regards,
>> Yann.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
Re: [users@httpd] SSL Session Id lost?
Posted by Alex Soto <as...@gmail.com>.
Hi I have tried to put SSLSessionTickets off to httpd.conf and
httpd-ssl.conf but the result is still the same.
Regards,
Alex.
El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (<yl...@gmail.com>) va
escriure:
> On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto <as...@gmail.com> wrote:
> >
> > It seems that everything is configured correctly since sometimes works.
> Have
> > you ever found something similar or knows what it can be happening? Do
> you
> > think that maybe the problem is on client (browser) side?
> >
> > We say that there is something in Apache Httpd since I have modified what
> > was printed in access_log file to print the ssl session id as second
> > parameter. And I get next:
> >
> > (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
> >
> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
> > HTTP/1.1" 200 89
>
> This is because the SSL_SESSION_ID is not always available on the TLS
> side, when session tickets are used at first.
>
> It's up to the client to generate (or not) a session ID, which is only
> available on the first session resumption.
>
> https://tools.ietf.org/html/rfc5077#section-3.4 for the details.
>
> You may configure "SSLSessionTickets off" to disable session tickets
> management in TLS (using session IDs only).
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL Session Id lost?
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto <as...@gmail.com> wrote:
>
> It seems that everything is configured correctly since sometimes works. Have
> you ever found something similar or knows what it can be happening? Do you
> think that maybe the problem is on client (browser) side?
>
> We say that there is something in Apache Httpd since I have modified what
> was printed in access_log file to print the ssl session id as second
> parameter. And I get next:
>
> (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
>
> HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
> HTTP/1.1" 200 89
This is because the SSL_SESSION_ID is not always available on the TLS
side, when session tickets are used at first.
It's up to the client to generate (or not) a session ID, which is only
available on the first session resumption.
https://tools.ietf.org/html/rfc5077#section-3.4 for the details.
You may configure "SSLSessionTickets off" to disable session tickets
management in TLS (using session IDs only).
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org