tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Recognizing certificate removal (SmartCard)
Date Tue, 04 Dec 2012 17:48:36 GMT
Hash: SHA1


On 12/4/12 12:46 PM, Christopher Schultz wrote:
> On 12/4/12 12:08 PM, Will Nordmeyer wrote:
>> First off, thanks to all for the assistance getting my other 
>> tomcat CRL issues working.  Converted to APR and tcnative and 
>> things seem to be loading, running well now.
>> Now, the question has come up - what happens when a user 
>> authenticates with their Smart Card, but then pulls their card
>> and walks away.  Is there a way for Tomcat to detect such an
>> event on the client and terminate/timeout the session?
>> In the googling I've done, I've seen suggestions about writing a
>>  little java app that runs within our application and
>> periodically pulls something from the SmartCard - when the app
>> fails to get that piece of info, it terminates the app.
>> Is that the way to go?  (and if so, is there sample code - I
>> know this isn't a java forum, but if someone's invented this
>> wheel before, that would be great).
> I'm certainly no SSL expert (especially with SmartCards involved),
> but if the SmartCard is required in order to set up an SSL session,
> you could set the SSL session timeout to some small-ish value (say,
> 10 minutes -- the default is 24 hours) and then require a new SSL
> session to be established every 10 minutes. That would require the
> SmartCard to be present for that renegotiation (this is my
> assumption).
> That way, you don't have to write any new software and maintain it
> on the client.
> Check out the "sessionTimeout" attribute on the HTTP/SSL
> connector.
> Hmm... I just re-checked and that option is currently only
> available for the pure-Java connectors -- and you just switched to
> APR to get your huge CRLs working. :(
> OpenSSL does have an SSL_CTX_set_timeout method, but it doesn't
> have any support through tcnative. If this is something that would
> help you, please let me know and I'll take a stab at implementing
> a tcnative method for this and then expose it through the
> <Connector> configuration.

Answering my own question somewhat: the default SSL session timeout
for OpenSSL is actually 300 seconds (5 minutes) so that might work for

Of course, I might be wrong about the session timeout requiring the
SmartCard to be present for renegotiation.

Let me know what you find out.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message