tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id
Date Tue, 07 Jul 2015 21:05:21 GMT
Alex Soto wrote:
> yes it is set at httpd-ssl.config
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
> which I think that is where it should be set.
> Everything too strange, but thanks anyway.

Then, and until Rainer himself jumps in, let me ask you if it would be possible to make 
one more test. As far as I understand, this is not the way it /should/ work, but it may be

a way to find out what doesn't work, inasmuch as there is really a problem :

Somewhere in that same page, there is a way by which you can "force" a value to be passed

on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").
Can you try to pass the SSL session-id in that way, and obtain it in Tomcat via 
request.getAttribute("name"), instead of the standard request.ssl_session ?
And check if /then/, you get it all the time ?

Again, this is probably not the way in which this should work. But Tomcat is open-source 
and free software, and its development and debugging benefit from the help of any 
benevolent user, particularly if that user is interested in solving a particular problem 
that he is having.

> 
> El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw@ice-sa.com>) va
> escriure:
> 
>> Alex Soto wrote:
>>> Thank you so much but it is already set.
>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
>>> This is so strange.
>> But there is also this phrase : "In order to make SSL data available for
>> mod_jk in Apache,
>> you need to set SSLOptions +StdEnvVars."
>>
>> Honestly, I have never tried this, and I am not an SSL specialist at all,
>> and the phrase
>> above is a bit ambiguous.  But it seems worth a try, and I do not see it
>> in your
>> configuration.
>>
>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw@ice-sa.com>) va
>>> escriure:
>>>
>>>> Mark Thomas wrote:
>>>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
logs
>>>> here
>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
>>>> created
>>>>>> a gist to not add here a lot of lines).
>>>>>>
>>>>>> Now the question is is it happens because of mod_jk or because of
>>>> Apache?
>>>>>> Alex.
>>>>> OK. You've reached the limits of my conform zone. You need someone more
>>>>> familiar with the httpd side of things at this point. Rainer?
>>>>>
>>>>> Mark
>>>> Not Rainer, but maybe this helps :
>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>> Look for "JkExtractSSL".
>>>>
>>>>
>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<markt@apache.org>)
va
>>>>>> escriure:
>>>>>>
>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4)
 and
>> TomEE
>>>>>>> (in
>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for
Tomcat)
>>>> when I
>>>>>>>> configure Apache server with SSL and mod_jk.
>>>>>>>> In fact I am not sure where it is the problem if in mod_jk,
in
>> Apache
>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem
is on
>> mod_jk
>>>>>>>> configuration.
>>>>>>>>
>>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat)
as
>>>>>>>> backend solution. Currently Apache is configured with SSL
and with
>>>> mod_jk
>>>>>>>> it connects to TomEE using AJP. This works perfectly. The
problem is
>>>> that
>>>>>>>> inside my code I need to get the ssl session id:
>>>>>>>>
>>>>>>>> String ssl =
>>>>>>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>>>> I don't know why but sometimes this attribute is null and
sometimes
>>>> not.
>>>>>>> It
>>>>>>>> may return a null at first then stay like 10 requests working
and
>> then
>>>>>>> stop
>>>>>>>> working again during some requests and the get attribute
returns
>> null.
>>>>>>>> It seems that everything is configured correctly since sometimes
>>>> works.
>>>>>>>> Have you ever found something similar or knows what it can
be
>>>> happening?
>>>>>>> Do
>>>>>>>> you think that maybe the problem is on client (browser) side?
>>>>>>>>
>>>>>>>> Everything is dockerized here:
>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you
can review
>>>>>>>> configuration files of tomcat and apache or even run it.
>>>>>>>>
>>>>>>>> Thank you so much for your support.
>>>>>>> Try turning on debug logging for mod_jk. It will generate lots
of
>> data
>>>>>>> so just do it long enough to see the problem. When you look at
the
>> logs
>>>>>>> you should be able to see if the SSL Session ID is being passed
to
>>>>>>> Tomcat or not.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message