You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Goo Sam Kong <sk...@gmail.com> on 2010/03/17 01:49:35 UTC

How to set SSL session timeout in Tomcat 5.5.16

May I know how to set the SSL session timeout in Tomcat 5.5.16. I am
running JDK 1.5.0 update 7 on RedHat Enterprise.

Thank you.

Regards,
SamKong Goo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Chuck,

Thank you for your quick response.

May I know how to get the protected HttpSession object in Spring
controller/servlet? I used HttpRequest.getSession.invalidate() but can
not force re-authentication.

I tried maxKeepAliveRequests="1" attribute in HTTPS connector too, but
can not force re-authentication. May I know how you do it?

In this thread (http://old.nabble.com/Force-getting-Client-Cert-from-browser-td20155194.html),
Bill Barker-2 mentioned Tomcat can not force re-authentication. Is
that correct?

Thank you.

Regards,
SamKong Goo

On 17 March 2010 11:47, Caldarale, Charles R <Ch...@unisys.com> wrote:
>> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
>> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
>>
>> I attempted that, that is HTTP Session not SSL session.
>
> Depending on how your webapp is configured, you may have two HttpSession objects - one protected, and one not.  Make sure you're invalidating the protected session from servlet code associated with a protected resource, not from an unprotected reference.
>
> You could also turn off keep-alives in the HTTPS <Connector> (set maxKeepAliveRequests="1").  Renegotiating the SSL handshake on each request might be a noticeable performance hit, however.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
> 
> I attempted that, that is HTTP Session not SSL session.

Depending on how your webapp is configured, you may have two HttpSession objects - one protected, and one not.  Make sure you're invalidating the protected session from servlet code associated with a protected resource, not from an unprotected reference.

You could also turn off keep-alives in the HTTPS <Connector> (set maxKeepAliveRequests="1").  Renegotiating the SSL handshake on each request might be a noticeable performance hit, however.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Chuck,

I attempted that, that is HTTP Session not SSL session. I modified
XML-RPC client to include code below to terminate client's SSL
session, it worked but we preferred server to terminate SSL session
instead.

SSLContext.getClientSessionContext().setSessionTimeout(seconds);

Do you know how to do/configure to invalidate SSL session?

Thank you.

Regards,
SamKong Goo

On 17 March 2010 10:30, Caldarale, Charles R <Ch...@unisys.com> wrote:
>> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
>> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
>>
>> Can I invalidate the SSL session on server side?
>
> Look at the servlet API doc:
>
> http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate()
>
> Again, whether the session was established via HTTP or HTTPS is not pertinent here.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
> 
> Can I invalidate the SSL session on server side?

Look at the servlet API doc:

http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate()

Again, whether the session was established via HTTP or HTTPS is not pertinent here.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Chuck,

I am referring to invalidate SSL session. My application is using
client certificate authentication, the XML-RPC client is using USB
token as a keystore during SSL session, we want to force client to
re-authenticate with my application on every XML-RPC request to
prevent user remove the token during the client execution. The client
will run infinitely.

>From the client, I noticed it cached first authenticated SSL session
and reuse it for the subsequent calls...

Can I invalidate the SSL session on server side?

Thank you.

Regards,
SamKong Goo

On 17 March 2010 09:20, Caldarale, Charles R <Ch...@unisys.com> wrote:
>> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
>> Subject: How to set SSL session timeout in Tomcat 5.5.16
>>
>> May I know how to set the SSL session timeout in Tomcat 5.5.16.
>
> The session timeout value is independent of the session security, and set by the <session-timeout> value in the webapp's WEB-INF/web.xml file or programatically.  See the servlet spec for details.
>
> BTW, your tomcat version is four years old - you should seriously consider moving up to a newer version that contains numerous fixes, including security-related ones.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
> Subject: How to set SSL session timeout in Tomcat 5.5.16
> 
> May I know how to set the SSL session timeout in Tomcat 5.5.16.

The session timeout value is independent of the session security, and set by the <session-timeout> value in the webapp's WEB-INF/web.xml file or programatically.  See the servlet spec for details.

BTW, your tomcat version is four years old - you should seriously consider moving up to a newer version that contains numerous fixes, including security-related ones.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Mark Thomas <ma...@apache.org>.

On 18/03/2010 04:26, Goo Sam Kong wrote:
> Hi Mark,
>
> Will apache.org correct the Tomcat documentation or fix the code?

The docs are correct. This is already fixed in Tomcat 7 and has been 
proposed for Tomcat 6.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Mark,

Will apache.org correct the Tomcat documentation or fix the code?

Thank you.

On 18 March 2010 11:16, Caldarale, Charles R <Ch...@unisys.com> wrote:
>> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
>> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
>>
>> OIC, so when the code will be fixed?
>
> No idea - I'm not a committer.  It will get more attention if you file a Bugzilla entry for it:
> http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Subject: RE: How to set SSL session timeout in Tomcat 5.5.16
> 
> No idea - I'm not a committer.  It will get more attention if you file
> a Bugzilla entry for it:
> http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206

In Tomcat 6.0.26, the relevant code is at lines 434 - 446 of org/apache/tomcat/util/net/jsse/JSSESocketFactory.java, and should be changed to this:

            int sessionTimeout;
            if (attributes.get("sessionTimeout") != null) {
                sessionTimeout = Integer.parseInt(
                        (String)attributes.get("sessionTimeout"));
            } else {
                sessionTimeout = defaultSessionTimeout;
            }
            SSLSessionContext sessionContext =
                context.getServerSessionContext();
            if (sessionContext != null) {
                sessionContext.setSessionCacheSize(sessionCacheSize);
                sessionContext.setSessionTimeout(sessionTimeout);
            }

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
> 
> OIC, so when the code will be fixed?

No idea - I'm not a committer.  It will get more attention if you file a Bugzilla entry for it:
http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Chuck,

OIC, so when the code will be fixed?

On 18 March 2010 11:07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
>> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
>>
>> I noticed there is a error in Tomcat documentation
>> (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the
>> correct attribute for session cache timeout should be
>> "sessionCacheTimeout" instead of "sessionTimeout" in HTTPS connector.
>
> Actually, it looks like the code should be fixed, not the doc.  The timeout value has nothing to do with the SSL session cache, and the related methods in javax.net.ssl.SSLSessionContext are all for sessionTimeout; there's no mention of a sessionCacheTimeout in that interface.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to set SSL session timeout in Tomcat 5.5.16

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Goo Sam Kong [mailto:skgoo88@gmail.com]
> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16
> 
> I noticed there is a error in Tomcat documentation
> (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the
> correct attribute for session cache timeout should be
> "sessionCacheTimeout" instead of "sessionTimeout" in HTTPS connector.

Actually, it looks like the code should be fixed, not the doc.  The timeout value has nothing to do with the SSL session cache, and the related methods in javax.net.ssl.SSLSessionContext are all for sessionTimeout; there's no mention of a sessionCacheTimeout in that interface.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Mark,

Thank you for the solution, it working for me now.

I noticed there is a error in Tomcat documentation
(http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the
correct attribute for session cache timeout should be
"sessionCacheTimeout" instead of "sessionTimeout" in HTTPS connector.

Thank you.

On 17 March 2010 17:32, Goo Sam Kong <sk...@gmail.com> wrote:
> Thank you very much Mark, I will try it tomorrow.
>
> On 17 March 2010 16:40, Mark Thomas <ma...@apache.org> wrote:
>> On 17/03/2010 00:49, Goo Sam Kong wrote:
>>> May I know how to set the SSL session timeout in Tomcat 5.5.16. I am
>>> running JDK 1.5.0 update 7 on RedHat Enterprise.
>>
>> 1. Upgrade to the latest 6.0.x
>> 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Goo Sam Kong <sk...@gmail.com>.

Thank you very much Mark, I will try it tomorrow.

On 17 March 2010 16:40, Mark Thomas <ma...@apache.org> wrote:
> On 17/03/2010 00:49, Goo Sam Kong wrote:
>> May I know how to set the SSL session timeout in Tomcat 5.5.16. I am
>> running JDK 1.5.0 update 7 on RedHat Enterprise.
>
> 1. Upgrade to the latest 6.0.x
> 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to set SSL session timeout in Tomcat 5.5.16

Posted by Mark Thomas <ma...@apache.org>.

On 17/03/2010 00:49, Goo Sam Kong wrote:
> May I know how to set the SSL session timeout in Tomcat 5.5.16. I am
> running JDK 1.5.0 update 7 on RedHat Enterprise.

1. Upgrade to the latest 6.0.x
2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org