You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Tanel Unt <ta...@emta.ee> on 2009/01/26 13:24:20 UTC
help with hacking the apache 2.2 mod_ssl connection management
Hello.
I am a member of the sysadmin team at a large government institution and
we're stuck with an uncommon problem regarding secure connection
handling in Apache. I would be very grateful if you could spend a few
minutes to hear me out.
Our applications use apache+mod_ssl as a front-end for the Weblogic
cluster and the users authenticate themselves with a certificate stored
on a smartcard. The problem is that once the user logs out from the
application, we must immediately close the SSL connection and also
remove the connection data from Apache's internal cache to prevent SSL
connection resume without re-authentication.
I understand that this is a dire violation of best practices and Apache
architecture to create such a hack but unfortunately the alternative
solutions are already exhausted. We cannot control the user software or
browser choice, which would be the place for a normal solution. Also the
user populace is large (10k+) and varied so user education on how to
properly treat a smartcard is limited at best.
I believe i have researched the apache configuration options extensively
and i haven't found a clue how to do it. I cannot disable the session
cache because that would force users to constantly type in their
certificate PIN code for reauthentication and same goes for playing with
the SSLSessionCacheTimeout .
So far i've learned that i should call
/void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
/in mod_ssl code somehow but i don't know how or when. Extension modules
like mod_python etc. won't allow me so a direct hack of apache code is
required. The applications can direct user to a fixed URL on logout so
perhaps a handler that would invalidate and cleanup user SSL session
after that request has been processed?
The whole thing obviously seems impractical at best but i'm
unfortunately under pressure from the management to find, or outline the
cost for, a solution. A few words about whether i'm even on the correct
path here or have missed a much better way of achieving the desired
result would be greatly appreciated.
Sincerely yours,
Tanel Unt
System Administrator
Estonian Tax and Customs Board
Re: help with hacking the apache 2.2 mod_ssl connection management
Posted by Graham Leggett <mi...@sharp.fm>.
Tanel Unt wrote:
> So far i've learned that i should call
> /void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
> /in mod_ssl code somehow but i don't know how or when. Extension modules
> like mod_python etc. won't allow me so a direct hack of apache code is
> required. The applications can direct user to a fixed URL on logout so
> perhaps a handler that would invalidate and cleanup user SSL session
> after that request has been processed?
Essentially you would need to add a handler to mod_ssl that when you hit
the handler, the handler calls ssl_scache_remove() and then redirects
the user to somewhere useful, or displays a suitable page ("you have
been logged out").
That should be relatively straightforward (unless I am missing something).
A cleaner approach may be to export ssl_scache_remove() (and friends) as
optional functions, and then place the handler in it's own module.
Regards,
Graham
--