You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Nuno Ponte <nu...@multicert.com> on 2003/10/16 16:55:22 UTC

Mixing SSL authentication certificates

  Hi,

  I have a servlet which performs some operations with the certificate 
used for SSL client authentication. My environment is Apache v1.3.27 
forwarding requests to a Tomcat v4.0.3 through a mod_jk-3.3-ap13.

  At normal use it works fine, but at heavy load it seems it's mixing 
the client authentication certificates. By "mixing", I mean setting the 
same certificate for 3/4 requests.

  My doPost() method looks like this:

    protected void doPost(HttpServletRequest request, 
HttpServletResponse response)
        throws ServletException, IOException {
        X509Certificate cert =
            ((X509Certificate[]) 
request.getAttribute("javax.servlet.request.X509Certificate"))[0];

        log("Titular of certificate with SerialNumber " + 
cert.getSerialNumber()
            + " issued by " + cert.getIssuerDN().getName()
            + " to " + cert.getSubjectDN().getName() + " is accessing...");
    ...

  As you can see, the cert variable is local scoped to the method (not 
instance scoped which could lead to mixes), so there's no way for the 
certificates to be mixed in my servlet. Therefore, my bet is that 
mod_ssl or mod_jk has a concurrency problem.

  At heavy load, I can see on the log files several consecutive entries 
for the same certificate and I can almost assure they are not made by 
the same user.

  Did anyone ever experienced the same problem?

  Thanks for any help you can provide.


  Regards,

             Nuno Ponte