You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/03/18 11:22:12 UTC
DO NOT REPLY [Bug 48933] New: Client certificate gone after 1 minute
timeout (SSL, APR)
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
Summary: Client certificate gone after 1 minute timeout (SSL,
APR)
Product: Tomcat 6
Version: 6.0.26
Platform: Macintosh
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Native:Integration
AssignedTo: dev@tomcat.apache.org
ReportedBy: altumano@gmail.com
I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
Namely, the setup works perfectly (i.e. the client certificate is sent and the
servlet application can get it).
But if I allow the SSL connection to time out (it happens 1 minute after the
last request), the servlet application does not get the client certificate
anymore.
The workaround (for user) is to clear Firefox cache (Tools - Clear Recent
History - 1 hour, Active logins).
After this, the application will work again until the next timeout.
This problem does NOT occur if I use pure Java SSL config (no APR) or when I
use browser other that Firefox.
>From that you can imply that this might be a Firefox problem, but I'm not so
sure.
Firefox works perfectly with all other HTTPS sites and also pure Java SSL
config works with Firefox.
So obviously this problem occurs because Tomcat libnative fails to handle some
peculiarities of Firefox SSL packets.
Here is my exact setup:
- Debian 5 (Lenny)
- libapr1 1.2.12-5+lenny1
- openssl 0.9.8g-15+lenny6
- Tomcat 6.0.26 with tomcat-native-1.1.20
- server authentication certificates (newcert.pem, newkey-no-password.pem)
- client authentication certificates (ca.pem and a personal
certificate client1.p12)
- a simple servlet "ssltest" to get the client cert:
writer.println(Arrays.deepToString((X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate")));
- Firefox 3.6
The only change in server.xml is the connector conf:
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
SSLCertificateFile="${user.home}/newcert.pem"
SSLCertificateKeyFile="${user.home}/newkey-no-password.pem"
SSLVerifyClient="require"
SSLVerifyDepth="2"
SSLCACertificateFile="${user.home}/ssl/ca.pem"
/>
And installed ssltest.war into webapps.
Now steps to reproduce:
1) import client1.p12 into browser
2) go to https://localhost:8443/ssltest, it will show the client certificate
3) wait 1 minute
4) refresh browser - the application will not get the client certificate
(request.getAttribute("javax.servlet.request.X509Certificate") returns null)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
Albert Tumanov <al...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #25143|Certificates |Certificates (All passwords
description| |are "changeit")
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
--- Comment #2 from Albert Tumanov <al...@gmail.com> 2010-03-18 10:30:31 UTC ---
Created an attachment (id=25144)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25144)
Test application
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
--- Comment #1 from Albert Tumanov <al...@gmail.com> 2010-03-18 10:26:30 UTC ---
Created an attachment (id=25143)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25143)
Certificates
All passwords are "changeit"
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
--- Comment #3 from Albert Tumanov <al...@gmail.com> 2010-03-18 10:34:11 UTC ---
Created an attachment (id=25145)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25145)
Test application source
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #5 from Mark Thomas <ma...@apache.org> 2010-06-01 18:10:45 EDT ---
At a guess you are hitting issues with SSL renegotiation and the various
work-arounds put in place for CVE-2009-3555. My tests with 6.0.x (trunk),
1.1.20, openssl 0.9.8k and Firefox 3.6.3 work as expected. After 1 min I get
re-prompted for my cert and everything continues to work.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48933] Client certificate gone after 1 minute
timeout (SSL, APR)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48933
--- Comment #4 from Albert Tumanov <al...@gmail.com> 2010-03-18 10:39:48 UTC ---
For testing, I was using ssltap:
ssltap -sxlp 18443 localdebian:8443
The URL will then be https://localhost:18443/ssltest
>From the ssltap log I can see that after 1 minute since the last request I get
EOF:
Read EOF on Server socket. [Thu Mar 18 12:15:52 2010]
Read EOF on Client socket. [Thu Mar 18 12:16:00 2010]
and after that the problem will occur.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org