[Bug 58244] two way SSL loses client certificate after a few requests

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58244

--- Comment #4 from Petr Brouzda <pe...@gmail.com> ---
We have similar (maybe the same) problem.

We run
- Tomcat 8.0.24 with APR.
- HTTPS APR connector with SSLVerifyClient="require".
- on Debian 6

Client is a legacy application with no HTTPS support. So it uses "stunnel"
(https://www.stunnel.org) for http-to-https proxy.

1) At the first request from this client ... server application sees client's
certificate in javax.servlet.request.X509Certificate correctly.

2) Second and any subsequent requests within the same stunnel connection ...
server application didn't see client's certificate,
javax.servlet.request.X509Certificate is null.

3) After stunnel daemon is restarted, the first request is proceed correctly
(with certificate info in javax.servlet.request.X509Certificate) and subsequent
requests has javax.servlet.request.X509Certificate = null.

The difference is that (based on stunnel's logfile) the first request creates a
new SSL session, and subsequent requests reuses that session.
Maybe there is a problem within APR that client certificate is not available
when SSL session is reused.

(Other clients than stunnel works without problem.)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org