tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: SSL Session Caching
Date Wed, 13 Feb 2013 21:11:59 GMT
Will Nordmeyer wrote:
> I have a scenario right now I need help with.
> My Tomcat is configured for SSL, client certificate authorization and
> Certificate Revocation List checking (all outside certificates).
> We have a scenario (we've found in testing) where we do a transaction
> in our application, then the user pulls his smart card out (client
> certificate) and a new user comes up and puts his card in.  Tomcat
> isn't recognizing that a new certificate is in place and is allowing
> the new user, with the new certificate to transact without validating
> his credentials.
> It appears as if the old session is being utilized still by the client
> (windows or unix, firefox or IE) and Tomcat.  Which seems very odd.
> I would have expected the new cert would have forced a new SSL session
> to be created and tomcat to puke at an attempt to submit a transaction
> on the old session.
> Any thoughts/advice/guidance?

That sounds to me like a serious flaw either at the level of the client logic, or at the 
level of the training and/or discipline of the users.  Not at the level of the Tomcat server.

Analogy : a room is protected by a door that opens with a key. Only some people have that

key.  One of these people opens the door with his key, leaves it open and walks away. 
Another (unauthorised) person walks through the open door into the room (*).  Who is 
responsible ? the room ?

(*) whether or not the other person puts his own (wrong) key into the lock is irrelevant.

The door is already open.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message