tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id
Date Tue, 07 Jul 2015 21:05:21 GMT
Alex Soto wrote:
> yes it is set at httpd-ssl.config
> which I think that is where it should be set.
> Everything too strange, but thanks anyway.

Then, and until Rainer himself jumps in, let me ask you if it would be possible to make 
one more test. As far as I understand, this is not the way it /should/ work, but it may be

a way to find out what doesn't work, inasmuch as there is really a problem :

Somewhere in that same page, there is a way by which you can "force" a value to be passed

on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").
Can you try to pass the SSL session-id in that way, and obtain it in Tomcat via 
request.getAttribute("name"), instead of the standard request.ssl_session ?
And check if /then/, you get it all the time ?

Again, this is probably not the way in which this should work. But Tomcat is open-source 
and free software, and its development and debugging benefit from the help of any 
benevolent user, particularly if that user is interested in solving a particular problem 
that he is having.

> El dt., 7 jul. 2015 a les 19:17, André Warnier (<>) va
> escriure:
>> Alex Soto wrote:
>>> Thank you so much but it is already set.
>>> This is so strange.
>> But there is also this phrase : "In order to make SSL data available for
>> mod_jk in Apache,
>> you need to set SSLOptions +StdEnvVars."
>> Honestly, I have never tried this, and I am not an SSL specialist at all,
>> and the phrase
>> above is a bit ambiguous.  But it seems worth a try, and I do not see it
>> in your
>> configuration.
>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<>) va
>>> escriure:
>>>> Mark Thomas wrote:
>>>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
>>>> here
>>>>>> (I have
>>>> created
>>>>>> a gist to not add here a lot of lines).
>>>>>> Now the question is is it happens because of mod_jk or because of
>>>> Apache?
>>>>>> Alex.
>>>>> OK. You've reached the limits of my conform zone. You need someone more
>>>>> familiar with the httpd side of things at this point. Rainer?
>>>>> Mark
>>>> Not Rainer, but maybe this helps :
>>>> Look for "JkExtractSSL".
>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<>)
>>>>>> escriure:
>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4)
>> TomEE
>>>>>>> (in
>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for
>>>> when I
>>>>>>>> configure Apache server with SSL and mod_jk.
>>>>>>>> In fact I am not sure where it is the problem if in mod_jk,
>> Apache
>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem
is on
>> mod_jk
>>>>>>>> configuration.
>>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat)
>>>>>>>> backend solution. Currently Apache is configured with SSL
and with
>>>> mod_jk
>>>>>>>> it connects to TomEE using AJP. This works perfectly. The
problem is
>>>> that
>>>>>>>> inside my code I need to get the ssl session id:
>>>>>>>> String ssl =
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>>>> I don't know why but sometimes this attribute is null and
>>>> not.
>>>>>>> It
>>>>>>>> may return a null at first then stay like 10 requests working
>> then
>>>>>>> stop
>>>>>>>> working again during some requests and the get attribute
>> null.
>>>>>>>> It seems that everything is configured correctly since sometimes
>>>> works.
>>>>>>>> Have you ever found something similar or knows what it can
>>>> happening?
>>>>>>> Do
>>>>>>>> you think that maybe the problem is on client (browser) side?
>>>>>>>> Everything is dockerized here:
>>>>>>>> so you
can review
>>>>>>>> configuration files of tomcat and apache or even run it.
>>>>>>>> Thank you so much for your support.
>>>>>>> Try turning on debug logging for mod_jk. It will generate lots
>> data
>>>>>>> so just do it long enough to see the problem. When you look at
>> logs
>>>>>>> you should be able to see if the SSL Session ID is being passed
>>>>>>> Tomcat or not.
>>>>>>> Mark
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail:
>>>>>>> For additional commands, e-mail:
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail:
>>>>> For additional commands, e-mail:
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail:
>>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message