Force getting Client Cert from browser

[atul <te...@yahoo.com>]

I am initiating client ssl in my webapp by requesting attr 
org.apache.coyote.request.X509Certificate 
 
User is prompted for the client cert at the browser and logs in just fine.
When the user logs out, we invalidate the Http session.
However, when the user tries to access another protected resource using same browser window (without closing), he gets right in.
Tomcat never initiates ssl renegotiation - probably because it hangs onto sslsocket and sslsession object for performance.
Is there anyway we can effect tomcat to forcefully renegotiate ssl for client cert ?
Is there anyway application can get the SSLSocket and do a close on it ? Or destroy SSLSession object ?
I tried sending http Connection: Close on the response with no success.
 
Is there any other way to effect this ?
 
I am using Tomcat 5.5 with Java 1.6_07.
 
Any prompt help is really appreciated!
 
Thanks


      

RE: Force getting Client Cert from browser

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: atul [mailto:techatool@yahoo.com]
> Subject: Force getting Client Cert from browser
>
> Tomcat never initiates ssl renegotiation - probably because
> it hangs onto sslsocket and sslsession object for performance.

No - it's because the *browser* uses the same sessionid and connection.  Nothing Tomcat can do about that.

> Is there anyway we can effect tomcat to forcefully
> renegotiate ssl for client cert ?

Invalidate the session after every request - but only if you really want to annoy your users.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Force getting Client Cert from browser

[Bill Barker <wb...@wilshire.com>]

"i_am" <te...@yahoo.com> wrote in message 
news:23286972.post@talk.nabble.com...
>
> Thanks Charles.
> Ok getting back to it after a looong break...
>
> I looked at the ssl traces and looks like client is sending server an 
> Alert
> (21) Warning (close notify) but,
> server (tomcat) seems to ignore it!
> Is there a way (config) to force tomcat to renegotiate ?

Nope. Tomcat relies on the underlying JVM implementation for secure sockets 
for the most part.

> I even tried to invoke Tomcat action code ACTION_REQ_SSL_CERTIFICATE 
> which,
> I thought should force renegotiation but still does not.

As you have found out, this will only force renegotiation if the client cert 
is missing.  Anyway, most browsers treat CLIENT-CERT like BASIC and just 
resend the credentials.

> I still see the same behavior where Tomcat just uses cached certificate!!!
>
> Versions : Tomcat 5.5.27 with Java 1.6.0_11 on SLES10.
>
> Any help is appreciated...
>
> Thanks
>
>
>
>
> Caldarale, Charles R wrote:
>>
>>> From: atul [mailto:techatool@yahoo.com]
>>> Subject: Re: Force getting Client Cert from browser
>>>
>>> I tried invalidating httpsession but that didnt work.
>>
>> I'm a bit surprised at that, but I haven't gone through the code enough 
>> to
>> figure out why that didn't work.  There's a tangentially related thread
>> here:
>> http://marc.info/?l=tomcat-user&m=120092922008604&w=2
>>
>>> Also, in a deployment where if a machine is shared by
>>> multiple users and user1 forgets to close the browser before
>>> leaving, the user can log right in as user1.
>>
>> A problem in any environment that has shared access points, not unique to
>> using certificates for client authentication.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> -- 
> View this message in context: 
> http://www.nabble.com/Force-getting-Client-Cert-from-browser-tp20155194p23286972.html
> Sent from the Tomcat - User mailing list archive at Nabble.com. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Force getting Client Cert from browser

[i_am <te...@yahoo.com>]

Thanks Charles.
Ok getting back to it after a looong break...

I looked at the ssl traces and looks like client is sending server an Alert
(21) Warning (close notify) but,
server (tomcat) seems to ignore it!
Is there a way (config) to force tomcat to renegotiate ?
I even tried to invoke Tomcat action code ACTION_REQ_SSL_CERTIFICATE which,
I thought should force renegotiation but still does not.
I still see the same behavior where Tomcat just uses cached certificate!!!

Versions : Tomcat 5.5.27 with Java 1.6.0_11 on SLES10.

Any help is appreciated...

Thanks




Caldarale, Charles R wrote:
> 
>> From: atul [mailto:techatool@yahoo.com]
>> Subject: Re: Force getting Client Cert from browser
>>
>> I tried invalidating httpsession but that didnt work.
> 
> I'm a bit surprised at that, but I haven't gone through the code enough to
> figure out why that didn't work.  There's a tangentially related thread
> here:
> http://marc.info/?l=tomcat-user&m=120092922008604&w=2
> 
>> Also, in a deployment where if a machine is shared by
>> multiple users and user1 forgets to close the browser before
>> leaving, the user can log right in as user1.
> 
> A problem in any environment that has shared access points, not unique to
> using certificates for client authentication.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Force-getting-Client-Cert-from-browser-tp20155194p23286972.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org