httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <claude.lib...@guest.minfin.fed.be>
Subject [users@httpd] How to notify application server that ssl session has expired
Date Tue, 05 Dec 2006 10:52:10 GMT
Hello,
For our project we have integrated an electronical identity card( eID)
authentication. This card contains a certificate that is used to establish
an ssl two ways connection with our apache 2.0.54. This certificate is
validated by an OCSP server.
When ssl connections is established, user's certificate is forwarded to a
J2EE application server (weblogic) which create it's own security context
throug a JAAS LoginModule.
Our problem is that we have to (we don't have the choice)  unloged user when
ssl session has expired.
So my problem is to notify weblogic that ssl session has expired.
My first idea was to save SSL_SESSION_ID in my J2EE Principal and then
compare this id with the current ssl session id of the request.
So if the current id is different than the id obtained during the
authentication process then the user is unloged.
However, it seems that when I configure a virtualhost in ssl one
ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my
ssl session is renewed and
my ssl session id is different. If I configure two-ways at virtualhost level
this doesn't happen.
Is there a problem for apache to maintains ssl session if we change the ssl
type?
I read on an older post that we can't rely on SSL_SESSION_ID to know if ssl
has expired but I don't see any other way to notify my application server.
Any suggestion?

Here is my ssl.conf.For information I have specific application apart from
the main application which is responsible of the authentication.

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex  file:/home/apache-2.0.54/logs/ssl_mutex
SLRandomSeed startup builtin
<VirtualHost *:443>
      ServerName host
      ServerAlias host
      DocumentRoot "/home/apache-2.0.54/htdocs"
      SSLEngine on
      SSLCipherSuite -ALL:SSLv3+HIGH:-aNULL!EXPORT56:RC4+RSA
      SSLProtocol -ALL +SSLv3 +TLSv1
      # Server Certificate:
      SSLCertificateFile
/home/apache-2.0.54/conf/ssl/certificate/server/host.cert
      # Server Private Key:
      SSLCertificateKeyFile
/home/apache-2.0.54/conf/ssl/certificate/server/privkey.key
      SSLCertificateChainFile
"/home/apache-2.0.54/conf/ssl/certificate/chain/chain.pem
      SSLOptions +StrictRequire +StdEnvVars +ExportCertData
      RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
      SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
      SSLVerifyClient  none
      SSLCACertificateFile
"/home/weblogic/apache-2.0.54/conf/ssl/certificate/trusted_certificate/client-trusted-list.pem"
    #Application that does the authentication
    <Location /Authentication>
      SetHandler weblogic-handler
     WebLogicCluster host:7001
    </Location>
    #main application that needs authentication
    <Location /WebAppTestAuthentication>
      SetHandler weblogic-handler
     WebLogicCluster host:7001
    </Location>
    #Two-ways connection is only established when calling this struts action
      <Location /Authentication/logineID.do >
      SSLVerifyClient require
      RequestHeader add WL-Proxy-SSL "true"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
      RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
      Allow from all
       </Location>

    </VirtualHost>





----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message