httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <claude.lib...@guest.minfin.fed.be>
Subject Re: [users@httpd] How to notify application server that ssl sessionhasexpired
Date Thu, 07 Dec 2006 09:50:54 GMT
Nobody to help me (or my mail was not clear)?
Claude
----- Original Message ----- 
From: "Claude Libois" <claude.libois@guest.minfin.fed.be>
To: <users@httpd.apache.org>
Sent: Tuesday, December 05, 2006 11:52 AM
Subject: [users@httpd] How to notify application server that ssl 
sessionhasexpired


> Hello,
> For our project we have integrated an electronical identity card( eID)
> authentication. This card contains a certificate that is used to establish
> an ssl two ways connection with our apache 2.0.54. This certificate is
> validated by an OCSP server.
> When ssl connections is established, user's certificate is forwarded to a
> J2EE application server (weblogic) which create it's own security context
> throug a JAAS LoginModule.
> Our problem is that we have to (we don't have the choice)  unloged user 
> when
> ssl session has expired.
> So my problem is to notify weblogic that ssl session has expired.
> My first idea was to save SSL_SESSION_ID in my J2EE Principal and then
> compare this id with the current ssl session id of the request.
> So if the current id is different than the id obtained during the
> authentication process then the user is unloged.
> However, it seems that when I configure a virtualhost in ssl one
> ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my
> ssl session is renewed and
> my ssl session id is different. If I configure two-ways at virtualhost 
> level
> this doesn't happen.
> Is there a problem for apache to maintains ssl session if we change the 
> ssl
> type?
> I read on an older post that we can't rely on SSL_SESSION_ID to know if 
> ssl
> has expired but I don't see any other way to notify my application server.
> Any suggestion?
>
> Here is my ssl.conf.For information I have specific application apart from
> the main application which is responsible of the authentication.
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> SSLSessionCache        shmcb:logs/ssl_scache(512000)
> SSLSessionCacheTimeout  300
> SSLMutex  file:/home/apache-2.0.54/logs/ssl_mutex
> SLRandomSeed startup builtin
> <VirtualHost *:443>
>      ServerName host
>      ServerAlias host
>      DocumentRoot "/home/apache-2.0.54/htdocs"
>      SSLEngine on
>      SSLCipherSuite -ALL:SSLv3+HIGH:-aNULL!EXPORT56:RC4+RSA
>      SSLProtocol -ALL +SSLv3 +TLSv1
>      # Server Certificate:
>      SSLCertificateFile
> /home/apache-2.0.54/conf/ssl/certificate/server/host.cert
>      # Server Private Key:
>      SSLCertificateKeyFile
> /home/apache-2.0.54/conf/ssl/certificate/server/privkey.key
>      SSLCertificateChainFile
> "/home/apache-2.0.54/conf/ssl/certificate/chain/chain.pem
>      SSLOptions +StrictRequire +StdEnvVars +ExportCertData
>      RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
>      SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
>      SSLVerifyClient  none
>      SSLCACertificateFile
> "/home/weblogic/apache-2.0.54/conf/ssl/certificate/trusted_certificate/client-trusted-list.pem"
>    #Application that does the authentication
>    <Location /Authentication>
>      SetHandler weblogic-handler
>     WebLogicCluster host:7001
>    </Location>
>    #main application that needs authentication
>    <Location /WebAppTestAuthentication>
>      SetHandler weblogic-handler
>     WebLogicCluster host:7001
>    </Location>
>    #Two-ways connection is only established when calling this struts 
> action
>      <Location /Authentication/logineID.do >
>      SSLVerifyClient require
>      RequestHeader add WL-Proxy-SSL "true"
>      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
>      RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
>      Allow from all
>       </Location>
>
>    </VirtualHost>
>
>
>
>
>
> ----------------------------------------------------------------
> - Disclaimer: http://www.minfin.fgov.be/disclaimer.htm
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> 




----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message