You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alex Soto <as...@gmail.com> on 2015/07/06 11:48:37 UTC
Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in
fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in Apache
Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
configuration.
I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with mod_jk
it connects to TomEE using AJP. This works perfectly. The problem is that
inside my code I need to get the ssl session id:
String ssl =
(String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
I don't know why but sometimes this attribute is null and sometimes not. It
may return a null at first then stay like 10 requests working and then stop
working again during some requests and the get attribute returns null.
It seems that everything is configured correctly since sometimes works.
Have you ever found something similar or knows what it can be happening? Do
you think that maybe the problem is on client (browser) side?
Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and apache or even run it.
Thank you so much for your support.
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
I send you here the link so you can read it
http://httpd.markmail.org/search/?q=Alex%20Soto#query:Alex%20Soto+page:1+mid:74py424qest6gnj3+state:results
El dt., 28 jul. 2015 a les 17:33, Christopher Schultz (<
chris@christopherschultz.net>) va escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alex,
>
> On 7/28/15 2:25 AM, Alex Soto wrote:
> > Well the answer comes from httpd team do I expect they aware of
> > this. Moreover they explained me this about ticketing and why it is
> > normal this behaviour
>
> If this is expected behavior, it's certainly surprising to me! It kind
> of makes httpd's HTTPS flags useless, doesn't it?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVt6B8AAoJEBzwKT+lPKRYMeEP+gL5eqnJr5iHSJjbI6tzxeLE
> IER0Wr96CKC89ANURKG1pbMZ0km1GrPTi1A8q3kXvT+PBiDgDMG1C8eBObxUXMuH
> KcGhwFrvGilTVEtUExbwdHNoxLgCDXeK2TSPN3CrztzirTMYDEl2avE7JeMgFmVb
> i+t/0PJrLmIUeDNu7jiKqI4fR2qt1VmXL+wRbvf3R/8XDVdBXe5hQh1p+OIktBP9
> AvxGuDW3MHa+VKsZss+NKNPO8cqVB5HsvX3BbK4uH3WYvmlOBd72bR/BsY50NOW7
> uZfv+4XfMt1hBkaEhtt2BYLNw0grWxZM1hoYwAXWycmOq7+Vk5Ild9y9wyzJwr3m
> 7yuAjXlkG85F3SJQdAHJXO/w0k2iubcbDxGEN4yhubPtNwZCoaDHFZ8Mdl2c3Emb
> upxl11uAPwb2hmSfSD7pIiRCXN8v39jhtM8NPnrvMbOde3xsynsJbf7SjSwVHT/1
> 6OwchDCHx96PDporBGIzDIhh4+ZQ9N3+em3irS3jB9oBvP6MYcNuqdRlykIkPo9T
> Qa7RXFm8K9KKOuP6ccRX42qDSulVx99NtApWcAE5AoIl+VNUKGfh68zVI1qkV5+S
> nTugLnRUpI5IPVy/JAVetqqD4H3YfxmcHLAWv5zmgK4FcPid2X1iUeXEltkgrbAs
> VlwEBVcNg/ItMGYvD9ys
> =Z63J
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
On 7/28/15 2:25 AM, Alex Soto wrote:
> Well the answer comes from httpd team do I expect they aware of
> this. Moreover they explained me this about ticketing and why it is
> normal this behaviour
If this is expected behavior, it's certainly surprising to me! It kind
of makes httpd's HTTPS flags useless, doesn't it?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVt6B8AAoJEBzwKT+lPKRYMeEP+gL5eqnJr5iHSJjbI6tzxeLE
IER0Wr96CKC89ANURKG1pbMZ0km1GrPTi1A8q3kXvT+PBiDgDMG1C8eBObxUXMuH
KcGhwFrvGilTVEtUExbwdHNoxLgCDXeK2TSPN3CrztzirTMYDEl2avE7JeMgFmVb
i+t/0PJrLmIUeDNu7jiKqI4fR2qt1VmXL+wRbvf3R/8XDVdBXe5hQh1p+OIktBP9
AvxGuDW3MHa+VKsZss+NKNPO8cqVB5HsvX3BbK4uH3WYvmlOBd72bR/BsY50NOW7
uZfv+4XfMt1hBkaEhtt2BYLNw0grWxZM1hoYwAXWycmOq7+Vk5Ild9y9wyzJwr3m
7yuAjXlkG85F3SJQdAHJXO/w0k2iubcbDxGEN4yhubPtNwZCoaDHFZ8Mdl2c3Emb
upxl11uAPwb2hmSfSD7pIiRCXN8v39jhtM8NPnrvMbOde3xsynsJbf7SjSwVHT/1
6OwchDCHx96PDporBGIzDIhh4+ZQ9N3+em3irS3jB9oBvP6MYcNuqdRlykIkPo9T
Qa7RXFm8K9KKOuP6ccRX42qDSulVx99NtApWcAE5AoIl+VNUKGfh68zVI1qkV5+S
nTugLnRUpI5IPVy/JAVetqqD4H3YfxmcHLAWv5zmgK4FcPid2X1iUeXEltkgrbAs
VlwEBVcNg/ItMGYvD9ys
=Z63J
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Well the answer comes from httpd team do I expect they aware of this.
Moreover they explained me this about ticketing and why it is normal this
behaviour
Alex
El dl., 27 de jul., 2015 a les 23.32 Christopher Schultz <
chris@christopherschultz.net> va escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alex,
>
> On 7/27/15 7:36 AM, Alex Soto wrote:
> > finally I found what was happening. It was a problem with the
> > ticketing system of SSL. To avoid it and makes everything works you
> > only need to set SSLSessionTickets to off. And that's all, now
> > everything works as expected.
>
> Ideally, session ticketing in httpd would work properly. Does this
> seem to be a bug in httpd? If so, please take some time to work with
> the httpd team to resolve this issue... I'm sure it will help a lot of
> people if you do.
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVtqNbAAoJEBzwKT+lPKRYp9MP/jhXMb6PRB9ql0lb65A5ltXz
> JApk8ASOZ8d5618zrtc5QZ9E+Olb8DKozrK0xZzFNsQukErtOgXjnepKoF40XsqY
> PPHDJGsI3NucGExkc7TIgrg5PNnFT2MOI6jlwV33Q3WuMVYVjtdKefQvfrwuiqG0
> ucHOI5utHkBFyOsNN2YNGMaGD3kN+8L12g3uGXS6RRnXCYe3SjauJH4TfLdnJkpW
> kb7fCuvOcLdktVN9COqPozkKiROaZNAJE75kMrto+ybo//N+t/tW3aijQNSRroI3
> +CAQ6uHoFY7m50ULqZBzTIzHxicwp7GwQGdF0wnZn9jBvBaKy10B2/pDfMt5EYzB
> qmKITf3a31dv3rYafPkKosavs1+qOlpYhL8Cvg9YftLOMGgZymDMl0lrwXsaWvjp
> 7aUcOCGLXfN4KtzZ7jYcVxuQrKDLnglsXaUppvqOzMHNBq1rKvStUifzjuYfxh5k
> L8MancQk7WXbLpItvTf4DgrtII04EQC9hh9XyyrXIul9xYKlfmwXjs+IeDC7wTtM
> 9VqI7xeZTdNXIWutK19ImLv8q92ZWqZN41UAmy09Wlr0jeAyiinrxBYGgj4FtXKc
> tMQIo5qMAN+ORM46DcOunjXFqbdAHCF03/moyp4D5G+xgLRiGuEiY+/1eg0yUf51
> k0+I54CB082UNfPDiIht
> =jhku
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
On 7/27/15 7:36 AM, Alex Soto wrote:
> finally I found what was happening. It was a problem with the
> ticketing system of SSL. To avoid it and makes everything works you
> only need to set SSLSessionTickets to off. And that's all, now
> everything works as expected.
Ideally, session ticketing in httpd would work properly. Does this
seem to be a bug in httpd? If so, please take some time to work with
the httpd team to resolve this issue... I'm sure it will help a lot of
people if you do.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVtqNbAAoJEBzwKT+lPKRYp9MP/jhXMb6PRB9ql0lb65A5ltXz
JApk8ASOZ8d5618zrtc5QZ9E+Olb8DKozrK0xZzFNsQukErtOgXjnepKoF40XsqY
PPHDJGsI3NucGExkc7TIgrg5PNnFT2MOI6jlwV33Q3WuMVYVjtdKefQvfrwuiqG0
ucHOI5utHkBFyOsNN2YNGMaGD3kN+8L12g3uGXS6RRnXCYe3SjauJH4TfLdnJkpW
kb7fCuvOcLdktVN9COqPozkKiROaZNAJE75kMrto+ybo//N+t/tW3aijQNSRroI3
+CAQ6uHoFY7m50ULqZBzTIzHxicwp7GwQGdF0wnZn9jBvBaKy10B2/pDfMt5EYzB
qmKITf3a31dv3rYafPkKosavs1+qOlpYhL8Cvg9YftLOMGgZymDMl0lrwXsaWvjp
7aUcOCGLXfN4KtzZ7jYcVxuQrKDLnglsXaUppvqOzMHNBq1rKvStUifzjuYfxh5k
L8MancQk7WXbLpItvTf4DgrtII04EQC9hh9XyyrXIul9xYKlfmwXjs+IeDC7wTtM
9VqI7xeZTdNXIWutK19ImLv8q92ZWqZN41UAmy09Wlr0jeAyiinrxBYGgj4FtXKc
tMQIo5qMAN+ORM46DcOunjXFqbdAHCF03/moyp4D5G+xgLRiGuEiY+/1eg0yUf51
k0+I54CB082UNfPDiIht
=jhku
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Hi guys,
finally I found what was happening. It was a problem with the ticketing
system of SSL. To avoid it and makes everything works you only need to set
SSLSessionTickets to off. And that's all, now everything works as expected.
Thank you very much for all your help.
Alex.
El dl., 13 jul. 2015 a les 15:19, Christopher Schultz (<
chris@christopherschultz.net>) va escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Konstantin,
>
> On 7/9/15 6:30 AM, Konstantin Kolinko wrote:
> > Please do not top-post, Rules:
> > http://tomcat.apache.org/lists.html#tomcat-users -> "6."
> >
> > 2015-07-09 13:07 GMT+03:00 Alex Soto <as...@gmail.com>:
> >> yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s
> >> %b") note that in both cases %H is the same value. I think it is
> >> correct.
> >
> > Agreed. HTTP/1.1 is correct here. It is what is written on the
> > first line of an HTTP request.
> >
> >> Have a look here :
> >> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> >> and in particular at %{FOOBAR}e The contents of the
> >> environment variable FOOBAR
> >>
> >> You can also log the request protocol : %H The request
> >> protocol
> >
> > OP is using HTTPD 2.4, so documentation link is s/2.2/2.4/,
> > http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
> >
> > You may look at mod_ssl docs,
> > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
> >
> > There are a number of interesting environment variables that may
> > be logged (HTTPS, SSL_PROTOCOL, SSL_SESSION_RESUMED).
> >
> > Description of "SSLSessionCache" directive in mod_ssl mentions
> > some null values, but as you have configured "shmcb" cache
> > implementation that apparently should not happen.
>
> If the shared-memory configuration isn't working, weird things like
> this may happen. I had a similar problem with mod_jk's shared memory
> configuration pointing to an incorrect-path on the disk, and so shm
> didn't initialize properly.
>
> A small "FYI: shared memory isn't working" message was printed at
> startup but otherwise everything else was working as expected... until
> I noticed that mod_jk's worker statuses were jumping-around from
> ACTIVE to DISABLED and back without me changing them.
>
> The problem was non-working shared memory.
>
> Alex, you may want to ensure that your shmcb isn't failing to
> initialize properly. It might explain the issues you are seeing.
>
> > I think that you'll get more answers on mod_ssl behaviour if you
> > ask on an Apache HTTPD mailing list.
>
> +1
>
> And please come back and let us know what you find out.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVo7rLAAoJEBzwKT+lPKRYoKYQAMtjxkZb4VMb9fzYUC9wrec6
> jQBsdSFNxZBKnn+nHiUFy3pJnkLQ4jrw6xv8eMUX7RRLc9mv8mt6bFEj0tprcmI5
> VVeprN89aNQSye5wWQds5Cl9Rum3rEjyslbHhPZvB6+/FVESG4Mm/LwvrGdkzjMw
> vYZdTyxGBKzEifmtWJuNpMnaGf3nQdkIhugRYbMNpWpCTdSAZjxoHOSZ1qcj6Bh7
> FGmDvxDs8zqFJmovE17VUa9ywYI5VORNqiIRdDaY0d9O5M6+5hZ2UM/RJR5jo8UF
> XtQjbbDLqhLjeuYadvfte/4V5HC1S79ROkOTDJB/J2Hr0IYqF382Kud7xFkXRdap
> CTaobG+ZFGk8ehwwFMzaRLvGh3EFXiGSg4/0Kd52WP9Mmmv44IZrgR5Nsnz7I2s8
> NKilbPEqnTXw/sQvm+DyEcfsY5ePba1nl1KS5MLB3QsTdX8A349VxoFFTgMvwq7l
> aW0gmcLA52ILe2Hg7dXatbX883r3tObzDn3+WtGOZ+35QfualHzlP0nUrfnI4EnX
> x/h4e4hSPtRhkrG8e6uaWEE3JDMfpPb4+0+vFgix7+qlgBHaST+lJKVhItMxeAUu
> YnA4VXImtGCqWSyzN/D08RRw88oUazckOOiG+Cj57n8ltvg9C0uFXAP++VEkV6Oy
> kLGxOFet9mCGZLaWnPyn
> =vo5X
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 7/9/15 6:30 AM, Konstantin Kolinko wrote:
> Please do not top-post, Rules:
> http://tomcat.apache.org/lists.html#tomcat-users -> "6."
>
> 2015-07-09 13:07 GMT+03:00 Alex Soto <as...@gmail.com>:
>> yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s
>> %b") note that in both cases %H is the same value. I think it is
>> correct.
>
> Agreed. HTTP/1.1 is correct here. It is what is written on the
> first line of an HTTP request.
>
>> Have a look here :
>> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
>> and in particular at %{FOOBAR}e The contents of the
>> environment variable FOOBAR
>>
>> You can also log the request protocol : %H The request
>> protocol
>
> OP is using HTTPD 2.4, so documentation link is s/2.2/2.4/,
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
>
> You may look at mod_ssl docs,
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
>
> There are a number of interesting environment variables that may
> be logged (HTTPS, SSL_PROTOCOL, SSL_SESSION_RESUMED).
>
> Description of "SSLSessionCache" directive in mod_ssl mentions
> some null values, but as you have configured "shmcb" cache
> implementation that apparently should not happen.
If the shared-memory configuration isn't working, weird things like
this may happen. I had a similar problem with mod_jk's shared memory
configuration pointing to an incorrect-path on the disk, and so shm
didn't initialize properly.
A small "FYI: shared memory isn't working" message was printed at
startup but otherwise everything else was working as expected... until
I noticed that mod_jk's worker statuses were jumping-around from
ACTIVE to DISABLED and back without me changing them.
The problem was non-working shared memory.
Alex, you may want to ensure that your shmcb isn't failing to
initialize properly. It might explain the issues you are seeing.
> I think that you'll get more answers on mod_ssl behaviour if you
> ask on an Apache HTTPD mailing list.
+1
And please come back and let us know what you find out.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVo7rLAAoJEBzwKT+lPKRYoKYQAMtjxkZb4VMb9fzYUC9wrec6
jQBsdSFNxZBKnn+nHiUFy3pJnkLQ4jrw6xv8eMUX7RRLc9mv8mt6bFEj0tprcmI5
VVeprN89aNQSye5wWQds5Cl9Rum3rEjyslbHhPZvB6+/FVESG4Mm/LwvrGdkzjMw
vYZdTyxGBKzEifmtWJuNpMnaGf3nQdkIhugRYbMNpWpCTdSAZjxoHOSZ1qcj6Bh7
FGmDvxDs8zqFJmovE17VUa9ywYI5VORNqiIRdDaY0d9O5M6+5hZ2UM/RJR5jo8UF
XtQjbbDLqhLjeuYadvfte/4V5HC1S79ROkOTDJB/J2Hr0IYqF382Kud7xFkXRdap
CTaobG+ZFGk8ehwwFMzaRLvGh3EFXiGSg4/0Kd52WP9Mmmv44IZrgR5Nsnz7I2s8
NKilbPEqnTXw/sQvm+DyEcfsY5ePba1nl1KS5MLB3QsTdX8A349VxoFFTgMvwq7l
aW0gmcLA52ILe2Hg7dXatbX883r3tObzDn3+WtGOZ+35QfualHzlP0nUrfnI4EnX
x/h4e4hSPtRhkrG8e6uaWEE3JDMfpPb4+0+vFgix7+qlgBHaST+lJKVhItMxeAUu
YnA4VXImtGCqWSyzN/D08RRw88oUazckOOiG+Cj57n8ltvg9C0uFXAP++VEkV6Oy
kLGxOFet9mCGZLaWnPyn
=vo5X
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Hello yes I have raised the question to httpd mailing list. Just to keep
you informed. Look what I have discovere. If I run in Chrome or Firefox I
get next log messages:
HTTP/1.1 - on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:57:18 +0000]
"GET /hello/hello HTTP/1.1" 200 89
HTTP/1.1 - on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:57:19 +0000]
"GET /hello/hello HTTP/1.1" 200 89
HTTP/1.1 - on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:57:21 +0000]
"GET /hello/hello HTTP/1.1" 200 89
HTTP/1.1 - on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:57:22 +0000]
"GET /hello/hello HTTP/1.1" 200 89
HTTP/1.1 - on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:57:23 +0000]
"GET /hello/hello HTTP/1.1" 200 89
HTTP/1.1 40007d1aa0ddea6c05fafc5ea26da0d239e8f5b11993db732da74b67ae5479ca
on TLSv1.2 Resumed 172.17.42.1 - - [09/Jul/2015:13:57:29 +0000] "GET
/hello/hello HTTP/1.1" 200 209
So it is always initial communication until some time it starts to resume
one.
But look what's happening if I use curl:
HTTP/1.1 d9c1532b4b38dd83fafbd3c7435653229f94e7e13fa7802fc6e0d91d7d748c4a
on TLSv1.2 Initial 172.17.42.1 - - [09/Jul/2015:13:58:37 +0000] "GET
/hello/hello HTTP/1.1" 200 209
It is the same I don't stop server or anything else.
Don't know if this gives you some information or not.
Thank you so much.
El dj., 9 jul. 2015 a les 13:30, Konstantin Kolinko (<kn...@gmail.com>)
va escriure:
> Please do not top-post, Rules:
> http://tomcat.apache.org/lists.html#tomcat-users
> -> "6."
>
> 2015-07-09 13:07 GMT+03:00 Alex Soto <as...@gmail.com>:
> > yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
> > note that in both cases %H is the same value. I think it is correct.
>
> Agreed. HTTP/1.1 is correct here.
> It is what is written on the first line of an HTTP request.
>
> > Have a look here :
> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> > and in particular at
> > %{FOOBAR}e The contents of the environment variable FOOBAR
> >
> > You can also log the request protocol :
> > %H The request protocol
>
> OP is using HTTPD 2.4, so documentation link is s/2.2/2.4/,
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
>
> You may look at mod_ssl docs,
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
>
> There are a number of interesting environment variables that may be
> logged (HTTPS, SSL_PROTOCOL, SSL_SESSION_RESUMED).
>
> Description of "SSLSessionCache" directive in mod_ssl mentions some
> null values, but as you have configured "shmcb" cache implementation
> that apparently should not happen.
>
>
> I think that you'll get more answers on mod_ssl behaviour if you ask
> on an Apache HTTPD mailing list.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Konstantin Kolinko <kn...@gmail.com>.
Please do not top-post, Rules:
http://tomcat.apache.org/lists.html#tomcat-users
-> "6."
2015-07-09 13:07 GMT+03:00 Alex Soto <as...@gmail.com>:
> yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
> note that in both cases %H is the same value. I think it is correct.
Agreed. HTTP/1.1 is correct here.
It is what is written on the first line of an HTTP request.
> Have a look here : http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> and in particular at
> %{FOOBAR}e The contents of the environment variable FOOBAR
>
> You can also log the request protocol :
> %H The request protocol
OP is using HTTPD 2.4, so documentation link is s/2.2/2.4/,
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
You may look at mod_ssl docs,
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
There are a number of interesting environment variables that may be
logged (HTTPS, SSL_PROTOCOL, SSL_SESSION_RESUMED).
Description of "SSLSessionCache" directive in mod_ssl mentions some
null values, but as you have configured "shmcb" cache implementation
that apparently should not happen.
I think that you'll get more answers on mod_ssl behaviour if you ask
on an Apache HTTPD mailing list.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
note that in both cases %H is the same value. I think it is correct.
El dj., 9 jul. 2015 a les 12:06, André Warnier (<aw...@ice-sa.com>) va
escriure:
> Hi.
>
> Alex Soto wrote:
> > Hi at the end it seems apache is doing something (wrong or not)
> >
> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
> > HTTP/1.1" 200 89
> >
> > HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
> > 172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
> > 200 209
> >
>
> I only see a mention of HTTP here. Did you also print the protocol (%H) ?
> (Is that the leading "HTTP/1.1" above ?)
>
>
> >
> > Notice how ssl session id is printed when it is ready. So now it is time
> to
> > start a discussion with apache and why this is happening.
> >
> > Thank you so much for all your support.
> >
> > Alex.
> >
> > El dj., 9 jul. 2015 a les 0:22, André Warnier (<aw...@ice-sa.com>) va
> escriure:
> >
> >> Alex Soto wrote:
> >>> no they are always the same, I simply go to browser do
> >>> https://localhost/hello/hello and I only push refresh button several
> >> times,
> >>> until the id appears. Then after some pushes it disappears again and
> >>> appears after some time again. So I think I am not changing the
> protocol
> >>> from https to http. In fact the browser complains about that the
> >>> certificate is homemade. So yes I think so.
> >>>
> >>> In first mail I sent the Docker project
> >>> https://github.com/lordofthejars/apache-tomee-ssl just in case you
> >> didn't
> >>> know it.
> >>> Also one thing I done was to inspect the debugging file of mod_jk and I
> >> can
> >>> see the session id is not sent by mod_jk. But if it is because mod_jk
> >>> misses or not, I just don't know.
> >> Alex, what I think that your tests show, is that sometimes *Apache
> httpd*
> >> is not setting
> >> the SSL_SESSION_ID variable *as an Apache httpd environment variable*.
> >> Therefor, it is
> >> (also) not passed by mod_jk to Tomcat.
> >>
> >> That is also what Christopher was wondering, and that is why he asked
> you
> >> if you were
> >> really sure that all your requests were HTTPS.
> >> At this point, we also don't know why Apache httpd would in some cases
> not
> >> set this, but
> >> the first thing is to find out if it is so, or not. And if it is so,
> then
> >> why ?
> >>
> >> I believe that you can prove (or disprove) this by modifying the format
> of
> >> the Apache
> >> access log. You can change it so that Apache httpd logs the content of
> >> this variable for
> >> each request. Then you can again make a series of requests, and look at
> >> the Apache access
> >> log to verify what happens.
> >>
> >> Have a look here :
> >> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> >> and in particular at
> >> %{FOOBAR}e The contents of the environment variable FOOBAR
> >>
> >> You can also log the request protocol :
> >> %H The request protocol
> >>
> >> In summary : if you can show that Apache httpd is always setting what it
> >> should set, and
> >> that sometimes mod_jk or Tomcat does not react to it, then the problem
> is
> >> with mod_jk or
> >> Tomcat. But if Apache is sometimes not setting this, then the problem
> is
> >> with Apache, or
> >> with something else in your setup. We are just trying to locate the
> issue
> >> correctly, and
> >> to avoid spending time looking in the wrong places. (For us and for
> you).
> >>
> >>
> >>> El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
> >>> chris@christopherschultz.net>) va escriure:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA256
> >>>>
> >>>> Alex,
> >>>>
> >>>> On 7/8/15 10:18 AM, Alex Soto wrote:
> >>>>> I have tried what you mention. When SSL_Id is there both
> >>>>> request.getAttribute("javax.servlet, ....."); and
> >>>>> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
> >>>>> the same way if one is null them the other one is null too so it
> >>>>> behaviour is consistent. About header approach always it is null,
> >>>>> probably something in rewrite is not set in header.
> >>>> That sounds like httpd isn't providing the session id.
> >>>>
> >>>> Are you absolutely sure that all of these requests are actually HTTPS
> >>>> from the client? Do you ever switch between HTTPS and HTTP?
> >>>>
> >>>> - -chris
> >>>> -----BEGIN PGP SIGNATURE-----
> >>>> Comment: GPGTools - http://gpgtools.org
> >>>>
> >>>> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
> >>>> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
> >>>> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
> >>>> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
> >>>> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
> >>>> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
> >>>> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
> >>>> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
> >>>> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
> >>>> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
> >>>> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
> >>>> T+GAJuwkYY7GSgMplLrS
> >>>> =vEii
> >>>> -----END PGP SIGNATURE-----
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Alex Soto wrote:
> Hi at the end it seems apache is doing something (wrong or not)
>
> HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
> HTTP/1.1" 200 89
>
> HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
> 172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
> 200 209
>
I only see a mention of HTTP here. Did you also print the protocol (%H) ?
(Is that the leading "HTTP/1.1" above ?)
>
> Notice how ssl session id is printed when it is ready. So now it is time to
> start a discussion with apache and why this is happening.
>
> Thank you so much for all your support.
>
> Alex.
>
> El dj., 9 jul. 2015 a les 0:22, André Warnier (<aw...@ice-sa.com>) va escriure:
>
>> Alex Soto wrote:
>>> no they are always the same, I simply go to browser do
>>> https://localhost/hello/hello and I only push refresh button several
>> times,
>>> until the id appears. Then after some pushes it disappears again and
>>> appears after some time again. So I think I am not changing the protocol
>>> from https to http. In fact the browser complains about that the
>>> certificate is homemade. So yes I think so.
>>>
>>> In first mail I sent the Docker project
>>> https://github.com/lordofthejars/apache-tomee-ssl just in case you
>> didn't
>>> know it.
>>> Also one thing I done was to inspect the debugging file of mod_jk and I
>> can
>>> see the session id is not sent by mod_jk. But if it is because mod_jk
>>> misses or not, I just don't know.
>> Alex, what I think that your tests show, is that sometimes *Apache httpd*
>> is not setting
>> the SSL_SESSION_ID variable *as an Apache httpd environment variable*.
>> Therefor, it is
>> (also) not passed by mod_jk to Tomcat.
>>
>> That is also what Christopher was wondering, and that is why he asked you
>> if you were
>> really sure that all your requests were HTTPS.
>> At this point, we also don't know why Apache httpd would in some cases not
>> set this, but
>> the first thing is to find out if it is so, or not. And if it is so, then
>> why ?
>>
>> I believe that you can prove (or disprove) this by modifying the format of
>> the Apache
>> access log. You can change it so that Apache httpd logs the content of
>> this variable for
>> each request. Then you can again make a series of requests, and look at
>> the Apache access
>> log to verify what happens.
>>
>> Have a look here :
>> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
>> and in particular at
>> %{FOOBAR}e The contents of the environment variable FOOBAR
>>
>> You can also log the request protocol :
>> %H The request protocol
>>
>> In summary : if you can show that Apache httpd is always setting what it
>> should set, and
>> that sometimes mod_jk or Tomcat does not react to it, then the problem is
>> with mod_jk or
>> Tomcat. But if Apache is sometimes not setting this, then the problem is
>> with Apache, or
>> with something else in your setup. We are just trying to locate the issue
>> correctly, and
>> to avoid spending time looking in the wrong places. (For us and for you).
>>
>>
>>> El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
>>> chris@christopherschultz.net>) va escriure:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Alex,
>>>>
>>>> On 7/8/15 10:18 AM, Alex Soto wrote:
>>>>> I have tried what you mention. When SSL_Id is there both
>>>>> request.getAttribute("javax.servlet, ....."); and
>>>>> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
>>>>> the same way if one is null them the other one is null too so it
>>>>> behaviour is consistent. About header approach always it is null,
>>>>> probably something in rewrite is not set in header.
>>>> That sounds like httpd isn't providing the session id.
>>>>
>>>> Are you absolutely sure that all of these requests are actually HTTPS
>>>> from the client? Do you ever switch between HTTPS and HTTP?
>>>>
>>>> - -chris
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Comment: GPGTools - http://gpgtools.org
>>>>
>>>> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
>>>> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
>>>> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
>>>> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
>>>> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
>>>> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
>>>> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
>>>> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
>>>> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
>>>> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
>>>> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
>>>> T+GAJuwkYY7GSgMplLrS
>>>> =vEii
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Hi at the end it seems apache is doing something (wrong or not)
HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
HTTP/1.1" 200 89
HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
200 209
Notice how ssl session id is printed when it is ready. So now it is time to
start a discussion with apache and why this is happening.
Thank you so much for all your support.
Alex.
El dj., 9 jul. 2015 a les 0:22, André Warnier (<aw...@ice-sa.com>) va escriure:
> Alex Soto wrote:
> > no they are always the same, I simply go to browser do
> > https://localhost/hello/hello and I only push refresh button several
> times,
> > until the id appears. Then after some pushes it disappears again and
> > appears after some time again. So I think I am not changing the protocol
> > from https to http. In fact the browser complains about that the
> > certificate is homemade. So yes I think so.
> >
> > In first mail I sent the Docker project
> > https://github.com/lordofthejars/apache-tomee-ssl just in case you
> didn't
> > know it.
> > Also one thing I done was to inspect the debugging file of mod_jk and I
> can
> > see the session id is not sent by mod_jk. But if it is because mod_jk
> > misses or not, I just don't know.
>
> Alex, what I think that your tests show, is that sometimes *Apache httpd*
> is not setting
> the SSL_SESSION_ID variable *as an Apache httpd environment variable*.
> Therefor, it is
> (also) not passed by mod_jk to Tomcat.
>
> That is also what Christopher was wondering, and that is why he asked you
> if you were
> really sure that all your requests were HTTPS.
> At this point, we also don't know why Apache httpd would in some cases not
> set this, but
> the first thing is to find out if it is so, or not. And if it is so, then
> why ?
>
> I believe that you can prove (or disprove) this by modifying the format of
> the Apache
> access log. You can change it so that Apache httpd logs the content of
> this variable for
> each request. Then you can again make a series of requests, and look at
> the Apache access
> log to verify what happens.
>
> Have a look here :
> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> and in particular at
> %{FOOBAR}e The contents of the environment variable FOOBAR
>
> You can also log the request protocol :
> %H The request protocol
>
> In summary : if you can show that Apache httpd is always setting what it
> should set, and
> that sometimes mod_jk or Tomcat does not react to it, then the problem is
> with mod_jk or
> Tomcat. But if Apache is sometimes not setting this, then the problem is
> with Apache, or
> with something else in your setup. We are just trying to locate the issue
> correctly, and
> to avoid spending time looking in the wrong places. (For us and for you).
>
>
> >
> > El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
> > chris@christopherschultz.net>) va escriure:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Alex,
> >>
> >> On 7/8/15 10:18 AM, Alex Soto wrote:
> >>> I have tried what you mention. When SSL_Id is there both
> >>> request.getAttribute("javax.servlet, ....."); and
> >>> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
> >>> the same way if one is null them the other one is null too so it
> >>> behaviour is consistent. About header approach always it is null,
> >>> probably something in rewrite is not set in header.
> >> That sounds like httpd isn't providing the session id.
> >>
> >> Are you absolutely sure that all of these requests are actually HTTPS
> >> from the client? Do you ever switch between HTTPS and HTTP?
> >>
> >> - -chris
> >> -----BEGIN PGP SIGNATURE-----
> >> Comment: GPGTools - http://gpgtools.org
> >>
> >> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
> >> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
> >> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
> >> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
> >> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
> >> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
> >> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
> >> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
> >> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
> >> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
> >> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
> >> T+GAJuwkYY7GSgMplLrS
> >> =vEii
> >> -----END PGP SIGNATURE-----
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Alex Soto wrote:
> no they are always the same, I simply go to browser do
> https://localhost/hello/hello and I only push refresh button several times,
> until the id appears. Then after some pushes it disappears again and
> appears after some time again. So I think I am not changing the protocol
> from https to http. In fact the browser complains about that the
> certificate is homemade. So yes I think so.
>
> In first mail I sent the Docker project
> https://github.com/lordofthejars/apache-tomee-ssl just in case you didn't
> know it.
> Also one thing I done was to inspect the debugging file of mod_jk and I can
> see the session id is not sent by mod_jk. But if it is because mod_jk
> misses or not, I just don't know.
Alex, what I think that your tests show, is that sometimes *Apache httpd* is not setting
the SSL_SESSION_ID variable *as an Apache httpd environment variable*. Therefor, it is
(also) not passed by mod_jk to Tomcat.
That is also what Christopher was wondering, and that is why he asked you if you were
really sure that all your requests were HTTPS.
At this point, we also don't know why Apache httpd would in some cases not set this, but
the first thing is to find out if it is so, or not. And if it is so, then why ?
I believe that you can prove (or disprove) this by modifying the format of the Apache
access log. You can change it so that Apache httpd logs the content of this variable for
each request. Then you can again make a series of requests, and look at the Apache access
log to verify what happens.
Have a look here : http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
and in particular at
%{FOOBAR}e The contents of the environment variable FOOBAR
You can also log the request protocol :
%H The request protocol
In summary : if you can show that Apache httpd is always setting what it should set, and
that sometimes mod_jk or Tomcat does not react to it, then the problem is with mod_jk or
Tomcat. But if Apache is sometimes not setting this, then the problem is with Apache, or
with something else in your setup. We are just trying to locate the issue correctly, and
to avoid spending time looking in the wrong places. (For us and for you).
>
> El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
> chris@christopherschultz.net>) va escriure:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Alex,
>>
>> On 7/8/15 10:18 AM, Alex Soto wrote:
>>> I have tried what you mention. When SSL_Id is there both
>>> request.getAttribute("javax.servlet, ....."); and
>>> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
>>> the same way if one is null them the other one is null too so it
>>> behaviour is consistent. About header approach always it is null,
>>> probably something in rewrite is not set in header.
>> That sounds like httpd isn't providing the session id.
>>
>> Are you absolutely sure that all of these requests are actually HTTPS
>> from the client? Do you ever switch between HTTPS and HTTP?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
>> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
>> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
>> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
>> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
>> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
>> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
>> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
>> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
>> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
>> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
>> T+GAJuwkYY7GSgMplLrS
>> =vEii
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
no they are always the same, I simply go to browser do
https://localhost/hello/hello and I only push refresh button several times,
until the id appears. Then after some pushes it disappears again and
appears after some time again. So I think I am not changing the protocol
from https to http. In fact the browser complains about that the
certificate is homemade. So yes I think so.
In first mail I sent the Docker project
https://github.com/lordofthejars/apache-tomee-ssl just in case you didn't
know it.
Also one thing I done was to inspect the debugging file of mod_jk and I can
see the session id is not sent by mod_jk. But if it is because mod_jk
misses or not, I just don't know.
Alex.
El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
chris@christopherschultz.net>) va escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alex,
>
> On 7/8/15 10:18 AM, Alex Soto wrote:
> > I have tried what you mention. When SSL_Id is there both
> > request.getAttribute("javax.servlet, ....."); and
> > request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
> > the same way if one is null them the other one is null too so it
> > behaviour is consistent. About header approach always it is null,
> > probably something in rewrite is not set in header.
>
> That sounds like httpd isn't providing the session id.
>
> Are you absolutely sure that all of these requests are actually HTTPS
> from the client? Do you ever switch between HTTPS and HTTP?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
> T+GAJuwkYY7GSgMplLrS
> =vEii
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
On 7/8/15 10:18 AM, Alex Soto wrote:
> I have tried what you mention. When SSL_Id is there both
> request.getAttribute("javax.servlet, ....."); and
> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in
> the same way if one is null them the other one is null too so it
> behaviour is consistent. About header approach always it is null,
> probably something in rewrite is not set in header.
That sounds like httpd isn't providing the session id.
Are you absolutely sure that all of these requests are actually HTTPS
from the client? Do you ever switch between HTTPS and HTTP?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
T+GAJuwkYY7GSgMplLrS
=vEii
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
I have tried what you mention. When SSL_Id is there both
request.getAttribute("javax.servlet, ....."); and
request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in the same
way if one is null them the other one is null too so it behaviour is
consistent. About header approach always it is null, probably something in
rewrite is not set in header.
Well everything is consistent, the question is if this consistency is ok or
not.
Alex.
El dc., 8 jul. 2015 a les 14:27, André Warnier (<aw...@ice-sa.com>) va
escriure:
> Alex Soto wrote:
> > Hi I have tried this approach custom JkEnvVar are pass correctly, what I
> > don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
> > (what you mention about "force)) I have tried with %{SSL_SESSION_ID} and
> $
> > but no luck (Don't know if it is because originally it was null or not).
>
> I think it is just
>
> JkEnvVar SSL_SESSION_ID "none"
>
> (where "none" is the default value, used if the Apache "environment
> variable"
> SSL_SESSION_ID was not set before you pass the request to Tomcat.)
> (The default value insures that Tomcat always gets something, no matter
> what)
>
> Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you
> find the value
> "none", it means that SSL_SESSION_ID was not set at the httpd level.
>
> Note: if that does not work, there is still another method that can be
> tried : setting a
> HTTP request header, before proxying to Tomcat. It would work like this :
>
> RewriteEngine On
> RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE]
> RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e"
>
> and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION".
>
>
>
> >
> > Alex.
> >
> > El dt., 7 jul. 2015 a les 23:05, André Warnier (<aw...@ice-sa.com>) va
> > escriure:
> >
> >> Alex Soto wrote:
> >>> yes it is set at httpd-ssl.config
> >>>
> >>
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
> >>> which I think that is where it should be set.
> >>> Everything too strange, but thanks anyway.
> >> Then, and until Rainer himself jumps in, let me ask you if it would be
> >> possible to make
> >> one more test. As far as I understand, this is not the way it /should/
> >> work, but it may be
> >> a way to find out what doesn't work, inasmuch as there is really a
> problem
> >> :
> >>
> >> Somewhere in that same page, there is a way by which you can "force" a
> >> value to be passed
> >> on to Tomcat as a request attribute (via JkEnvVar "name"
> "default-value")..
> >> Can you try to pass the SSL session-id in that way, and obtain it in
> >> Tomcat via
> >> request.getAttribute("name"), instead of the standard
> request.ssl_session ?
> >> And check if /then/, you get it all the time ?
> >>
> >> Again, this is probably not the way in which this should work. But
> Tomcat
> >> is open-source
> >> and free software, and its development and debugging benefit from the
> help
> >> of any
> >> benevolent user, particularly if that user is interested in solving a
> >> particular problem
> >> that he is having.
> >>
> >>> El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw...@ice-sa.com>) va
> >>> escriure:
> >>>
> >>>> Alex Soto wrote:
> >>>>> Thank you so much but it is already set.
> >>>>>
> >>
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
> >>>>> This is so strange.
> >>>> But there is also this phrase : "In order to make SSL data available
> for
> >>>> mod_jk in Apache,
> >>>> you need to set SSLOptions +StdEnvVars."
> >>>>
> >>>> Honestly, I have never tried this, and I am not an SSL specialist at
> >> all,
> >>>> and the phrase
> >>>> above is a bit ambiguous. But it seems worth a try, and I do not see
> it
> >>>> in your
> >>>> configuration.
> >>>>
> >>>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
> >>>>> escriure:
> >>>>>
> >>>>>> Mark Thomas wrote:
> >>>>>>> On 07/07/2015 09:28, Alex Soto wrote:
> >>>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
> >> logs
> >>>>>> here
> >>>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I
> have
> >>>>>> created
> >>>>>>>> a gist to not add here a lot of lines).
> >>>>>>>>
> >>>>>>>> Now the question is is it happens because of mod_jk or because of
> >>>>>> Apache?
> >>>>>>>> Alex.
> >>>>>>> OK. You've reached the limits of my conform zone. You need someone
> >> more
> >>>>>>> familiar with the httpd side of things at this point. Rainer?
> >>>>>>>
> >>>>>>> Mark
> >>>>>> Not Rainer, but maybe this helps :
> >>>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
> >>>>>> Look for "JkExtractSSL".
> >>>>>>
> >>>>>>
> >>>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>)
> >> va
> >>>>>>>> escriure:
> >>>>>>>>
> >>>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
> >>>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
> >>>> TomEE
> >>>>>>>>> (in
> >>>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for
> Tomcat)
> >>>>>> when I
> >>>>>>>>>> configure Apache server with SSL and mod_jk.
> >>>>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in
> >>>> Apache
> >>>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on
> >>>> mod_jk
> >>>>>>>>>> configuration.
> >>>>>>>>>>
> >>>>>>>>>> I am configuring the typical Apache as frontend and
> TomEE(Tomcat)
> >> as
> >>>>>>>>>> backend solution. Currently Apache is configured with SSL and
> with
> >>>>>> mod_jk
> >>>>>>>>>> it connects to TomEE using AJP. This works perfectly. The
> problem
> >> is
> >>>>>> that
> >>>>>>>>>> inside my code I need to get the ssl session id:
> >>>>>>>>>>
> >>>>>>>>>> String ssl =
> >>>>>>>>>>
> >>
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >>>>>>>>>> I don't know why but sometimes this attribute is null and
> >> sometimes
> >>>>>> not.
> >>>>>>>>> It
> >>>>>>>>>> may return a null at first then stay like 10 requests working
> and
> >>>> then
> >>>>>>>>> stop
> >>>>>>>>>> working again during some requests and the get attribute returns
> >>>> null.
> >>>>>>>>>> It seems that everything is configured correctly since sometimes
> >>>>>> works.
> >>>>>>>>>> Have you ever found something similar or knows what it can be
> >>>>>> happening?
> >>>>>>>>> Do
> >>>>>>>>>> you think that maybe the problem is on client (browser) side?
> >>>>>>>>>>
> >>>>>>>>>> Everything is dockerized here:
> >>>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can
> >> review
> >>>>>>>>>> configuration files of tomcat and apache or even run it.
> >>>>>>>>>>
> >>>>>>>>>> Thank you so much for your support.
> >>>>>>>>> Try turning on debug logging for mod_jk. It will generate lots of
> >>>> data
> >>>>>>>>> so just do it long enough to see the problem. When you look at
> the
> >>>> logs
> >>>>>>>>> you should be able to see if the SSL Session ID is being passed
> to
> >>>>>>>>> Tomcat or not.
> >>>>>>>>>
> >>>>>>>>> Mark
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >> ---------------------------------------------------------------------
> >>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>
> >>>>>>>
> >>>>>>
> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Alex Soto wrote:
> Hi I have tried this approach custom JkEnvVar are pass correctly, what I
> don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
> (what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $
> but no luck (Don't know if it is because originally it was null or not).
I think it is just
JkEnvVar SSL_SESSION_ID "none"
(where "none" is the default value, used if the Apache "environment variable"
SSL_SESSION_ID was not set before you pass the request to Tomcat.)
(The default value insures that Tomcat always gets something, no matter what)
Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you find the value
"none", it means that SSL_SESSION_ID was not set at the httpd level.
Note: if that does not work, there is still another method that can be tried : setting a
HTTP request header, before proxying to Tomcat. It would work like this :
RewriteEngine On
RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE]
RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e"
and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION".
>
> Alex.
>
> El dt., 7 jul. 2015 a les 23:05, André Warnier (<aw...@ice-sa.com>) va
> escriure:
>
>> Alex Soto wrote:
>>> yes it is set at httpd-ssl.config
>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
>>> which I think that is where it should be set.
>>> Everything too strange, but thanks anyway.
>> Then, and until Rainer himself jumps in, let me ask you if it would be
>> possible to make
>> one more test. As far as I understand, this is not the way it /should/
>> work, but it may be
>> a way to find out what doesn't work, inasmuch as there is really a problem
>> :
>>
>> Somewhere in that same page, there is a way by which you can "force" a
>> value to be passed
>> on to Tomcat as a request attribute (via JkEnvVar "name" "default-value")..
>> Can you try to pass the SSL session-id in that way, and obtain it in
>> Tomcat via
>> request.getAttribute("name"), instead of the standard request.ssl_session ?
>> And check if /then/, you get it all the time ?
>>
>> Again, this is probably not the way in which this should work. But Tomcat
>> is open-source
>> and free software, and its development and debugging benefit from the help
>> of any
>> benevolent user, particularly if that user is interested in solving a
>> particular problem
>> that he is having.
>>
>>> El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw...@ice-sa.com>) va
>>> escriure:
>>>
>>>> Alex Soto wrote:
>>>>> Thank you so much but it is already set.
>>>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
>>>>> This is so strange.
>>>> But there is also this phrase : "In order to make SSL data available for
>>>> mod_jk in Apache,
>>>> you need to set SSLOptions +StdEnvVars."
>>>>
>>>> Honestly, I have never tried this, and I am not an SSL specialist at
>> all,
>>>> and the phrase
>>>> above is a bit ambiguous. But it seems worth a try, and I do not see it
>>>> in your
>>>> configuration.
>>>>
>>>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
>>>>> escriure:
>>>>>
>>>>>> Mark Thomas wrote:
>>>>>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
>> logs
>>>>>> here
>>>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
>>>>>> created
>>>>>>>> a gist to not add here a lot of lines).
>>>>>>>>
>>>>>>>> Now the question is is it happens because of mod_jk or because of
>>>>>> Apache?
>>>>>>>> Alex.
>>>>>>> OK. You've reached the limits of my conform zone. You need someone
>> more
>>>>>>> familiar with the httpd side of things at this point. Rainer?
>>>>>>>
>>>>>>> Mark
>>>>>> Not Rainer, but maybe this helps :
>>>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>>>> Look for "JkExtractSSL".
>>>>>>
>>>>>>
>>>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>)
>> va
>>>>>>>> escriure:
>>>>>>>>
>>>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
>>>> TomEE
>>>>>>>>> (in
>>>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
>>>>>> when I
>>>>>>>>>> configure Apache server with SSL and mod_jk.
>>>>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in
>>>> Apache
>>>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on
>>>> mod_jk
>>>>>>>>>> configuration.
>>>>>>>>>>
>>>>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat)
>> as
>>>>>>>>>> backend solution. Currently Apache is configured with SSL and with
>>>>>> mod_jk
>>>>>>>>>> it connects to TomEE using AJP. This works perfectly. The problem
>> is
>>>>>> that
>>>>>>>>>> inside my code I need to get the ssl session id:
>>>>>>>>>>
>>>>>>>>>> String ssl =
>>>>>>>>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>>>>>> I don't know why but sometimes this attribute is null and
>> sometimes
>>>>>> not.
>>>>>>>>> It
>>>>>>>>>> may return a null at first then stay like 10 requests working and
>>>> then
>>>>>>>>> stop
>>>>>>>>>> working again during some requests and the get attribute returns
>>>> null.
>>>>>>>>>> It seems that everything is configured correctly since sometimes
>>>>>> works.
>>>>>>>>>> Have you ever found something similar or knows what it can be
>>>>>> happening?
>>>>>>>>> Do
>>>>>>>>>> you think that maybe the problem is on client (browser) side?
>>>>>>>>>>
>>>>>>>>>> Everything is dockerized here:
>>>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can
>> review
>>>>>>>>>> configuration files of tomcat and apache or even run it.
>>>>>>>>>>
>>>>>>>>>> Thank you so much for your support.
>>>>>>>>> Try turning on debug logging for mod_jk. It will generate lots of
>>>> data
>>>>>>>>> so just do it long enough to see the problem. When you look at the
>>>> logs
>>>>>>>>> you should be able to see if the SSL Session ID is being passed to
>>>>>>>>> Tomcat or not.
>>>>>>>>>
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Hi I have tried this approach custom JkEnvVar are pass correctly, what I
don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
(what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $
but no luck (Don't know if it is because originally it was null or not).
Alex.
El dt., 7 jul. 2015 a les 23:05, André Warnier (<aw...@ice-sa.com>) va
escriure:
> Alex Soto wrote:
> > yes it is set at httpd-ssl.config
> >
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
> > which I think that is where it should be set.
> > Everything too strange, but thanks anyway.
>
> Then, and until Rainer himself jumps in, let me ask you if it would be
> possible to make
> one more test. As far as I understand, this is not the way it /should/
> work, but it may be
> a way to find out what doesn't work, inasmuch as there is really a problem
> :
>
> Somewhere in that same page, there is a way by which you can "force" a
> value to be passed
> on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").
> Can you try to pass the SSL session-id in that way, and obtain it in
> Tomcat via
> request.getAttribute("name"), instead of the standard request.ssl_session ?
> And check if /then/, you get it all the time ?
>
> Again, this is probably not the way in which this should work. But Tomcat
> is open-source
> and free software, and its development and debugging benefit from the help
> of any
> benevolent user, particularly if that user is interested in solving a
> particular problem
> that he is having.
>
> >
> > El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw...@ice-sa.com>) va
> > escriure:
> >
> >> Alex Soto wrote:
> >>> Thank you so much but it is already set.
> >>>
> >>
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
> >>> This is so strange.
> >> But there is also this phrase : "In order to make SSL data available for
> >> mod_jk in Apache,
> >> you need to set SSLOptions +StdEnvVars."
> >>
> >> Honestly, I have never tried this, and I am not an SSL specialist at
> all,
> >> and the phrase
> >> above is a bit ambiguous. But it seems worth a try, and I do not see it
> >> in your
> >> configuration.
> >>
> >>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
> >>> escriure:
> >>>
> >>>> Mark Thomas wrote:
> >>>>> On 07/07/2015 09:28, Alex Soto wrote:
> >>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
> logs
> >>>> here
> >>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
> >>>> created
> >>>>>> a gist to not add here a lot of lines).
> >>>>>>
> >>>>>> Now the question is is it happens because of mod_jk or because of
> >>>> Apache?
> >>>>>> Alex.
> >>>>> OK. You've reached the limits of my conform zone. You need someone
> more
> >>>>> familiar with the httpd side of things at this point. Rainer?
> >>>>>
> >>>>> Mark
> >>>> Not Rainer, but maybe this helps :
> >>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
> >>>> Look for "JkExtractSSL".
> >>>>
> >>>>
> >>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>)
> va
> >>>>>> escriure:
> >>>>>>
> >>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
> >>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
> >> TomEE
> >>>>>>> (in
> >>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
> >>>> when I
> >>>>>>>> configure Apache server with SSL and mod_jk.
> >>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in
> >> Apache
> >>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on
> >> mod_jk
> >>>>>>>> configuration.
> >>>>>>>>
> >>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat)
> as
> >>>>>>>> backend solution. Currently Apache is configured with SSL and with
> >>>> mod_jk
> >>>>>>>> it connects to TomEE using AJP. This works perfectly. The problem
> is
> >>>> that
> >>>>>>>> inside my code I need to get the ssl session id:
> >>>>>>>>
> >>>>>>>> String ssl =
> >>>>>>>>
> >>
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >>>>>>>> I don't know why but sometimes this attribute is null and
> sometimes
> >>>> not.
> >>>>>>> It
> >>>>>>>> may return a null at first then stay like 10 requests working and
> >> then
> >>>>>>> stop
> >>>>>>>> working again during some requests and the get attribute returns
> >> null.
> >>>>>>>> It seems that everything is configured correctly since sometimes
> >>>> works.
> >>>>>>>> Have you ever found something similar or knows what it can be
> >>>> happening?
> >>>>>>> Do
> >>>>>>>> you think that maybe the problem is on client (browser) side?
> >>>>>>>>
> >>>>>>>> Everything is dockerized here:
> >>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can
> review
> >>>>>>>> configuration files of tomcat and apache or even run it.
> >>>>>>>>
> >>>>>>>> Thank you so much for your support.
> >>>>>>> Try turning on debug logging for mod_jk. It will generate lots of
> >> data
> >>>>>>> so just do it long enough to see the problem. When you look at the
> >> logs
> >>>>>>> you should be able to see if the SSL Session ID is being passed to
> >>>>>>> Tomcat or not.
> >>>>>>>
> >>>>>>> Mark
> >>>>>>>
> >>>>>>>
> >>>>>>>
> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>
> >>>>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Alex Soto wrote:
> yes it is set at httpd-ssl.config
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
> which I think that is where it should be set.
> Everything too strange, but thanks anyway.
Then, and until Rainer himself jumps in, let me ask you if it would be possible to make
one more test. As far as I understand, this is not the way it /should/ work, but it may be
a way to find out what doesn't work, inasmuch as there is really a problem :
Somewhere in that same page, there is a way by which you can "force" a value to be passed
on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").
Can you try to pass the SSL session-id in that way, and obtain it in Tomcat via
request.getAttribute("name"), instead of the standard request.ssl_session ?
And check if /then/, you get it all the time ?
Again, this is probably not the way in which this should work. But Tomcat is open-source
and free software, and its development and debugging benefit from the help of any
benevolent user, particularly if that user is interested in solving a particular problem
that he is having.
>
> El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw...@ice-sa.com>) va
> escriure:
>
>> Alex Soto wrote:
>>> Thank you so much but it is already set.
>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
>>> This is so strange.
>> But there is also this phrase : "In order to make SSL data available for
>> mod_jk in Apache,
>> you need to set SSLOptions +StdEnvVars."
>>
>> Honestly, I have never tried this, and I am not an SSL specialist at all,
>> and the phrase
>> above is a bit ambiguous. But it seems worth a try, and I do not see it
>> in your
>> configuration.
>>
>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
>>> escriure:
>>>
>>>> Mark Thomas wrote:
>>>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs
>>>> here
>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
>>>> created
>>>>>> a gist to not add here a lot of lines).
>>>>>>
>>>>>> Now the question is is it happens because of mod_jk or because of
>>>> Apache?
>>>>>> Alex.
>>>>> OK. You've reached the limits of my conform zone. You need someone more
>>>>> familiar with the httpd side of things at this point. Rainer?
>>>>>
>>>>> Mark
>>>> Not Rainer, but maybe this helps :
>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>> Look for "JkExtractSSL".
>>>>
>>>>
>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
>>>>>> escriure:
>>>>>>
>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
>> TomEE
>>>>>>> (in
>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
>>>> when I
>>>>>>>> configure Apache server with SSL and mod_jk.
>>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in
>> Apache
>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on
>> mod_jk
>>>>>>>> configuration.
>>>>>>>>
>>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
>>>>>>>> backend solution. Currently Apache is configured with SSL and with
>>>> mod_jk
>>>>>>>> it connects to TomEE using AJP. This works perfectly. The problem is
>>>> that
>>>>>>>> inside my code I need to get the ssl session id:
>>>>>>>>
>>>>>>>> String ssl =
>>>>>>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>>>> I don't know why but sometimes this attribute is null and sometimes
>>>> not.
>>>>>>> It
>>>>>>>> may return a null at first then stay like 10 requests working and
>> then
>>>>>>> stop
>>>>>>>> working again during some requests and the get attribute returns
>> null.
>>>>>>>> It seems that everything is configured correctly since sometimes
>>>> works.
>>>>>>>> Have you ever found something similar or knows what it can be
>>>> happening?
>>>>>>> Do
>>>>>>>> you think that maybe the problem is on client (browser) side?
>>>>>>>>
>>>>>>>> Everything is dockerized here:
>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
>>>>>>>> configuration files of tomcat and apache or even run it.
>>>>>>>>
>>>>>>>> Thank you so much for your support.
>>>>>>> Try turning on debug logging for mod_jk. It will generate lots of
>> data
>>>>>>> so just do it long enough to see the problem. When you look at the
>> logs
>>>>>>> you should be able to see if the SSL Session ID is being passed to
>>>>>>> Tomcat or not.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
yes it is set at httpd-ssl.config
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
which I think that is where it should be set.
Everything too strange, but thanks anyway.
El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw...@ice-sa.com>) va
escriure:
> Alex Soto wrote:
> > Thank you so much but it is already set.
> >
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
> > This is so strange.
>
> But there is also this phrase : "In order to make SSL data available for
> mod_jk in Apache,
> you need to set SSLOptions +StdEnvVars."
>
> Honestly, I have never tried this, and I am not an SSL specialist at all,
> and the phrase
> above is a bit ambiguous. But it seems worth a try, and I do not see it
> in your
> configuration.
>
> >
> > El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
> > escriure:
> >
> >> Mark Thomas wrote:
> >>> On 07/07/2015 09:28, Alex Soto wrote:
> >>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs
> >> here
> >>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
> >> created
> >>>> a gist to not add here a lot of lines).
> >>>>
> >>>> Now the question is is it happens because of mod_jk or because of
> >> Apache?
> >>>> Alex.
> >>> OK. You've reached the limits of my conform zone. You need someone more
> >>> familiar with the httpd side of things at this point. Rainer?
> >>>
> >>> Mark
> >> Not Rainer, but maybe this helps :
> >> http://tomcat.apache.org/connectors-doc/reference/apache.html
> >> Look for "JkExtractSSL".
> >>
> >>
> >>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
> >>>> escriure:
> >>>>
> >>>>> On 06/07/2015 10:48, Alex Soto wrote:
> >>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
> TomEE
> >>>>> (in
> >>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
> >> when I
> >>>>>> configure Apache server with SSL and mod_jk.
> >>>>>> In fact I am not sure where it is the problem if in mod_jk, in
> Apache
> >>>>>> Server or in Tomcat, but I suspect that maybe the problem is on
> mod_jk
> >>>>>> configuration.
> >>>>>>
> >>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
> >>>>>> backend solution. Currently Apache is configured with SSL and with
> >> mod_jk
> >>>>>> it connects to TomEE using AJP. This works perfectly. The problem is
> >> that
> >>>>>> inside my code I need to get the ssl session id:
> >>>>>>
> >>>>>> String ssl =
> >>>>>>
> >>
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >>>>>> I don't know why but sometimes this attribute is null and sometimes
> >> not.
> >>>>> It
> >>>>>> may return a null at first then stay like 10 requests working and
> then
> >>>>> stop
> >>>>>> working again during some requests and the get attribute returns
> null.
> >>>>>>
> >>>>>> It seems that everything is configured correctly since sometimes
> >> works.
> >>>>>> Have you ever found something similar or knows what it can be
> >> happening?
> >>>>> Do
> >>>>>> you think that maybe the problem is on client (browser) side?
> >>>>>>
> >>>>>> Everything is dockerized here:
> >>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
> >>>>>> configuration files of tomcat and apache or even run it.
> >>>>>>
> >>>>>> Thank you so much for your support.
> >>>>> Try turning on debug logging for mod_jk. It will generate lots of
> data
> >>>>> so just do it long enough to see the problem. When you look at the
> logs
> >>>>> you should be able to see if the SSL Session ID is being passed to
> >>>>> Tomcat or not.
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Alex Soto wrote:
> Thank you so much but it is already set.
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
> This is so strange.
But there is also this phrase : "In order to make SSL data available for mod_jk in Apache,
you need to set SSLOptions +StdEnvVars."
Honestly, I have never tried this, and I am not an SSL specialist at all, and the phrase
above is a bit ambiguous. But it seems worth a try, and I do not see it in your
configuration.
>
> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
> escriure:
>
>> Mark Thomas wrote:
>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs
>> here
>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
>> created
>>>> a gist to not add here a lot of lines).
>>>>
>>>> Now the question is is it happens because of mod_jk or because of
>> Apache?
>>>> Alex.
>>> OK. You've reached the limits of my conform zone. You need someone more
>>> familiar with the httpd side of things at this point. Rainer?
>>>
>>> Mark
>> Not Rainer, but maybe this helps :
>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>> Look for "JkExtractSSL".
>>
>>
>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
>>>> escriure:
>>>>
>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE
>>>>> (in
>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
>> when I
>>>>>> configure Apache server with SSL and mod_jk.
>>>>>> In fact I am not sure where it is the problem if in mod_jk, in Apache
>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
>>>>>> configuration.
>>>>>>
>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
>>>>>> backend solution. Currently Apache is configured with SSL and with
>> mod_jk
>>>>>> it connects to TomEE using AJP. This works perfectly. The problem is
>> that
>>>>>> inside my code I need to get the ssl session id:
>>>>>>
>>>>>> String ssl =
>>>>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>> I don't know why but sometimes this attribute is null and sometimes
>> not.
>>>>> It
>>>>>> may return a null at first then stay like 10 requests working and then
>>>>> stop
>>>>>> working again during some requests and the get attribute returns null.
>>>>>>
>>>>>> It seems that everything is configured correctly since sometimes
>> works.
>>>>>> Have you ever found something similar or knows what it can be
>> happening?
>>>>> Do
>>>>>> you think that maybe the problem is on client (browser) side?
>>>>>>
>>>>>> Everything is dockerized here:
>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
>>>>>> configuration files of tomcat and apache or even run it.
>>>>>>
>>>>>> Thank you so much for your support.
>>>>> Try turning on debug logging for mod_jk. It will generate lots of data
>>>>> so just do it long enough to see the problem. When you look at the logs
>>>>> you should be able to see if the SSL Session ID is being passed to
>>>>> Tomcat or not.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Thank you so much but it is already set.
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
This is so strange.
El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw...@ice-sa.com>) va
escriure:
> Mark Thomas wrote:
> > On 07/07/2015 09:28, Alex Soto wrote:
> >> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs
> here
> >> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
> created
> >> a gist to not add here a lot of lines).
> >>
> >> Now the question is is it happens because of mod_jk or because of
> Apache?
> >> Alex.
> >
> > OK. You've reached the limits of my conform zone. You need someone more
> > familiar with the httpd side of things at this point. Rainer?
> >
> > Mark
>
> Not Rainer, but maybe this helps :
> http://tomcat.apache.org/connectors-doc/reference/apache.html
> Look for "JkExtractSSL".
>
>
> >
> >> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
> >> escriure:
> >>
> >>> On 06/07/2015 10:48, Alex Soto wrote:
> >>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE
> >>> (in
> >>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
> when I
> >>>> configure Apache server with SSL and mod_jk.
> >>>> In fact I am not sure where it is the problem if in mod_jk, in Apache
> >>>> Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
> >>>> configuration.
> >>>>
> >>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
> >>>> backend solution. Currently Apache is configured with SSL and with
> mod_jk
> >>>> it connects to TomEE using AJP. This works perfectly. The problem is
> that
> >>>> inside my code I need to get the ssl session id:
> >>>>
> >>>> String ssl =
> >>>>
> >>>
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >>>> I don't know why but sometimes this attribute is null and sometimes
> not.
> >>> It
> >>>> may return a null at first then stay like 10 requests working and then
> >>> stop
> >>>> working again during some requests and the get attribute returns null.
> >>>>
> >>>> It seems that everything is configured correctly since sometimes
> works.
> >>>> Have you ever found something similar or knows what it can be
> happening?
> >>> Do
> >>>> you think that maybe the problem is on client (browser) side?
> >>>>
> >>>> Everything is dockerized here:
> >>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
> >>>> configuration files of tomcat and apache or even run it.
> >>>>
> >>>> Thank you so much for your support.
> >>> Try turning on debug logging for mod_jk. It will generate lots of data
> >>> so just do it long enough to see the problem. When you look at the logs
> >>> you should be able to see if the SSL Session ID is being passed to
> >>> Tomcat or not.
> >>>
> >>> Mark
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 07/07/2015 09:28, Alex Soto wrote:
>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs here
>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have created
>> a gist to not add here a lot of lines).
>>
>> Now the question is is it happens because of mod_jk or because of Apache?
>> Alex.
>
> OK. You've reached the limits of my conform zone. You need someone more
> familiar with the httpd side of things at this point. Rainer?
>
> Mark
Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for "JkExtractSSL".
>
>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
>> escriure:
>>
>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE
>>> (in
>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
>>>> configure Apache server with SSL and mod_jk.
>>>> In fact I am not sure where it is the problem if in mod_jk, in Apache
>>>> Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
>>>> configuration.
>>>>
>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
>>>> backend solution. Currently Apache is configured with SSL and with mod_jk
>>>> it connects to TomEE using AJP. This works perfectly. The problem is that
>>>> inside my code I need to get the ssl session id:
>>>>
>>>> String ssl =
>>>>
>>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>> I don't know why but sometimes this attribute is null and sometimes not.
>>> It
>>>> may return a null at first then stay like 10 requests working and then
>>> stop
>>>> working again during some requests and the get attribute returns null.
>>>>
>>>> It seems that everything is configured correctly since sometimes works.
>>>> Have you ever found something similar or knows what it can be happening?
>>> Do
>>>> you think that maybe the problem is on client (browser) side?
>>>>
>>>> Everything is dockerized here:
>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
>>>> configuration files of tomcat and apache or even run it.
>>>>
>>>> Thank you so much for your support.
>>> Try turning on debug logging for mod_jk. It will generate lots of data
>>> so just do it long enough to see the problem. When you look at the logs
>>> you should be able to see if the SSL Session ID is being passed to
>>> Tomcat or not.
>>>
>>> Mark
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by Mark Thomas <ma...@apache.org>.
On 07/07/2015 09:28, Alex Soto wrote:
> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs here
> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have created
> a gist to not add here a lot of lines).
>
> Now the question is is it happens because of mod_jk or because of Apache?
> Alex.
OK. You've reached the limits of my conform zone. You need someone more
familiar with the httpd side of things at this point. Rainer?
Mark
>
> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
> escriure:
>
>> On 06/07/2015 10:48, Alex Soto wrote:
>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE
>> (in
>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
>>> configure Apache server with SSL and mod_jk.
>>> In fact I am not sure where it is the problem if in mod_jk, in Apache
>>> Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
>>> configuration.
>>>
>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
>>> backend solution. Currently Apache is configured with SSL and with mod_jk
>>> it connects to TomEE using AJP. This works perfectly. The problem is that
>>> inside my code I need to get the ssl session id:
>>>
>>> String ssl =
>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>
>>> I don't know why but sometimes this attribute is null and sometimes not.
>> It
>>> may return a null at first then stay like 10 requests working and then
>> stop
>>> working again during some requests and the get attribute returns null.
>>>
>>> It seems that everything is configured correctly since sometimes works.
>>> Have you ever found something similar or knows what it can be happening?
>> Do
>>> you think that maybe the problem is on client (browser) side?
>>>
>>> Everything is dockerized here:
>>> https://github.com/lordofthejars/apache-tomee-ssl so you can review
>>> configuration files of tomcat and apache or even run it.
>>>
>>> Thank you so much for your support.
>>
>> Try turning on debug logging for mod_jk. It will generate lots of data
>> so just do it long enough to see the problem. When you look at the logs
>> you should be able to see if the SSL Session ID is being passed to
>> Tomcat or not.
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl
session id
Posted by Alex Soto <as...@gmail.com>.
Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs here
https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have created
a gist to not add here a lot of lines).
Now the question is is it happens because of mod_jk or because of Apache?
Alex.
El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>) va
escriure:
> On 06/07/2015 10:48, Alex Soto wrote:
> > Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE
> (in
> > fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
> > configure Apache server with SSL and mod_jk.
> > In fact I am not sure where it is the problem if in mod_jk, in Apache
> > Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
> > configuration.
> >
> > I am configuring the typical Apache as frontend and TomEE(Tomcat) as
> > backend solution. Currently Apache is configured with SSL and with mod_jk
> > it connects to TomEE using AJP. This works perfectly. The problem is that
> > inside my code I need to get the ssl session id:
> >
> > String ssl =
> >
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >
> > I don't know why but sometimes this attribute is null and sometimes not.
> It
> > may return a null at first then stay like 10 requests working and then
> stop
> > working again during some requests and the get attribute returns null.
> >
> > It seems that everything is configured correctly since sometimes works.
> > Have you ever found something similar or knows what it can be happening?
> Do
> > you think that maybe the problem is on client (browser) side?
> >
> > Everything is dockerized here:
> > https://github.com/lordofthejars/apache-tomee-ssl so you can review
> > configuration files of tomcat and apache or even run it.
> >
> > Thank you so much for your support.
>
> Try turning on debug logging for mod_jk. It will generate lots of data
> so just do it long enough to see the problem. When you look at the logs
> you should be able to see if the SSL Session ID is being passed to
> Tomcat or not.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the
ssl session id
Posted by Mark Thomas <ma...@apache.org>.
On 06/07/2015 10:48, Alex Soto wrote:
> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in
> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
> configure Apache server with SSL and mod_jk.
> In fact I am not sure where it is the problem if in mod_jk, in Apache
> Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
> configuration.
>
> I am configuring the typical Apache as frontend and TomEE(Tomcat) as
> backend solution. Currently Apache is configured with SSL and with mod_jk
> it connects to TomEE using AJP. This works perfectly. The problem is that
> inside my code I need to get the ssl session id:
>
> String ssl =
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>
> I don't know why but sometimes this attribute is null and sometimes not. It
> may return a null at first then stay like 10 requests working and then stop
> working again during some requests and the get attribute returns null.
>
> It seems that everything is configured correctly since sometimes works.
> Have you ever found something similar or knows what it can be happening? Do
> you think that maybe the problem is on client (browser) side?
>
> Everything is dockerized here:
> https://github.com/lordofthejars/apache-tomee-ssl so you can review
> configuration files of tomcat and apache or even run it.
>
> Thank you so much for your support.
Try turning on debug logging for mod_jk. It will generate lots of data
so just do it long enough to see the problem. When you look at the logs
you should be able to see if the SSL Session ID is being passed to
Tomcat or not.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org