You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alex Soto <as...@gmail.com> on 2015/07/09 11:59:16 UTC

[users@httpd] SSL session id is not always set in environment var

Hello I have seen a strange behaviour in Apache HTTPD (2.4)  and TomEE (in
fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
configure Apache server with SSL and mod_jk.
I have been asking in the Tomcat/mod_jk mailing list and after several
discussion it seems that there is something strange (may be it is correct
of course but we don't understand why) in Apache HTTPD side.

I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with mod_jk
it connects to TomEE using AJP. This works perfectly. The problem is that
inside my code I need to get the ssl session id:

String ssl =
(String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");

I don't know why but sometimes this attribute is null and sometimes not. It
may return a null at first requests then stay like 10 requests working and
then stop working again during some requests and the get attribute returns
null.

It seems that everything is configured correctly since sometimes works.
Have you ever found something similar or knows what it can be happening? Do
you think that maybe the problem is on client (browser) side?

We say that there is something in Apache Httpd since I have modified what
was printed in access_log file to print the ssl session id as second
parameter. And I get next:

(LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")

HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
HTTP/1.1" 200 89

HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
200 209

Notice that the first request does not contain the SSL SESSION ID although
of course I have accessed using https protocol. Then after several retries
(basically refreshing the browser) the ssl session id appear in the log and
of course then it can be retrieved in Java part.
So it seems that there is something related in httpd (maybe there is an
explanation) to know why at first queries httpd doesn't set ssl session id
and after some time it starts to do it.


Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and httpd or even run it.
You can read if you want all the discussion in Tomcat mailing list in
http://mail-archives.apache.org/mod_mbox/tomcat-users/201507.mbox/browser

Thank you so much for your support.