You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nuno Ponte <nu...@multicert.com> on 2003/10/16 16:55:22 UTC
Mixing SSL authentication certificates
Hi,
I have a servlet which performs some operations with the certificate
used for SSL client authentication. My environment is Apache v1.3.27
forwarding requests to a Tomcat v4.0.3 through a mod_jk-3.3-ap13.
At normal use it works fine, but at heavy load it seems it's mixing
the client authentication certificates. By "mixing", I mean setting the
same certificate for 3/4 requests.
My doPost() method looks like this:
protected void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
X509Certificate cert =
((X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate"))[0];
log("Titular of certificate with SerialNumber " +
cert.getSerialNumber()
+ " issued by " + cert.getIssuerDN().getName()
+ " to " + cert.getSubjectDN().getName() + " is accessing...");
...
As you can see, the cert variable is local scoped to the method (not
instance scoped which could lead to mixes), so there's no way for the
certificates to be mixed in my servlet. Therefore, my bet is that
mod_ssl or mod_jk has a concurrency problem.
At heavy load, I can see on the log files several consecutive entries
for the same certificate and I can almost assure they are not made by
the same user.
Did anyone ever experienced the same problem?
Thanks for any help you can provide.
Regards,
Nuno Ponte