tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adamus, Steven J." <STEVEN.J.ADA...@saic.com>
Subject RE: SSL Session Caching
Date Wed, 13 Feb 2013 20:01:52 GMT
Nothing is going on.  When the smartcard is removed, nothing goes across
the wire, so how could Tomcat possibly invalidate the session? 

-----Original Message-----
From: users-return-239719-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org
[mailto:users-return-239719-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org]
On Behalf Of Mark Thomas
Sent: Wednesday, February 13, 2013 11:36 AM
To: Tomcat Users List
Subject: Re: SSL Session Caching

On 13/02/2013 18:49, Will Nordmeyer wrote:
> I have a scenario right now I need help with.
> 
> My Tomcat is configured for SSL, client certificate authorization and 
> Certificate Revocation List checking (all outside certificates).
> 
> We have a scenario (we've found in testing) where we do a transaction 
> in our application, then the user pulls his smart card out (client
> certificate) and a new user comes up and puts his card in.  Tomcat 
> isn't recognizing that a new certificate is in place and is allowing 
> the new user, with the new certificate to transact without validating 
> his credentials.
> 
> It appears as if the old session is being utilized still by the client

> (windows or unix, firefox or IE) and Tomcat.  Which seems very odd.
> 
> I would have expected the new cert would have forced a new SSL session

> to be created and tomcat to puke at an attempt to submit a transaction

> on the old session.
> 
> Any thoughts/advice/guidance?

Use wireshark. If you provide it with your server's private key (should
be doable in a test environment) you'll be able to see exactly what is
(or isn't) going on.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message