help with hacking the apache 2.2 mod_ssl connection management

[Tanel Unt <ta...@emta.ee>]

Hello.

I am a member of the sysadmin team at a large government institution and 
we're stuck with an uncommon problem regarding secure connection 
handling in Apache. I would be very grateful if you could spend a few 
minutes to hear me out.
Our applications use apache+mod_ssl as a front-end for the Weblogic 
cluster and the users authenticate themselves with a certificate stored 
on a smartcard. The problem is that once the user logs out from the 
application, we must immediately close the SSL connection and also 
remove the connection data from Apache's internal cache to prevent SSL 
connection resume without re-authentication.
I understand that this is a dire violation of best practices and Apache 
architecture to create such a hack but unfortunately the alternative 
solutions are already exhausted. We cannot control the user software or 
browser choice, which would be the place for a normal solution. Also the 
user populace is large (10k+) and varied so user education on how to 
properly treat a smartcard is limited at best.

I believe i have researched the apache configuration options extensively 
and i haven't found a clue how to do it. I cannot disable the session 
cache because that would force users to constantly type in their 
certificate PIN code for reauthentication and same goes for playing with 
the SSLSessionCacheTimeout .

So far i've learned that i should call
/void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
/in mod_ssl code somehow but i don't know how or when. Extension modules 
like mod_python etc. won't allow me so a direct hack of apache code is 
required. The applications can direct user to a fixed URL on logout so 
perhaps a handler that would invalidate and cleanup user SSL session 
after that request has been processed?

The whole thing obviously seems impractical at best but i'm 
unfortunately under pressure from the management to find, or outline the 
cost for, a solution. A few words about whether i'm even on the correct 
path here or have missed a much better way of achieving the desired 
result would be greatly appreciated.

Sincerely yours,
Tanel Unt
System Administrator
Estonian Tax and Customs Board

Re: help with hacking the apache 2.2 mod_ssl connection management

[Graham Leggett <mi...@sharp.fm>]

Tanel Unt wrote:

> So far i've learned that i should call
> /void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
> /in mod_ssl code somehow but i don't know how or when. Extension modules 
> like mod_python etc. won't allow me so a direct hack of apache code is 
> required. The applications can direct user to a fixed URL on logout so 
> perhaps a handler that would invalidate and cleanup user SSL session 
> after that request has been processed?

Essentially you would need to add a handler to mod_ssl that when you hit 
the handler, the handler calls ssl_scache_remove() and then redirects 
the user to somewhere useful, or displays a suitable page ("you have 
been logged out").

That should be relatively straightforward (unless I am missing something).

A cleaner approach may be to export ssl_scache_remove() (and friends) as 
optional functions, and then place the handler in it's own module.

Regards,
Graham
--