tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id
Date Wed, 08 Jul 2015 12:26:38 GMT
Alex Soto wrote:
> Hi I have tried this approach custom JkEnvVar are pass correctly, what I
> don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
> (what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $
> but no luck (Don't know if it is because originally it was null or not).

I think it is just

JkEnvVar SSL_SESSION_ID "none"

(where "none" is the default value, used if the Apache "environment variable" 
SSL_SESSION_ID was not set before you pass the request to Tomcat.)
(The default value insures that Tomcat always gets something, no matter what)

Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you find the value 
"none", it means that SSL_SESSION_ID was not set at the httpd level.

Note: if that does not work, there is still another method that can be tried : setting a 
HTTP request header, before proxying to Tomcat. It would work like this :

RewriteEngine On
RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE]
RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e"

and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION".



> 
> Alex.
> 
> El dt., 7 jul. 2015 a les 23:05, André Warnier (<aw@ice-sa.com>) va
> escriure:
> 
>> Alex Soto wrote:
>>> yes it is set at httpd-ssl.config
>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
>>> which I think that is where it should be set.
>>> Everything too strange, but thanks anyway.
>> Then, and until Rainer himself jumps in, let me ask you if it would be
>> possible to make
>> one more test. As far as I understand, this is not the way it /should/
>> work, but it may be
>> a way to find out what doesn't work, inasmuch as there is really a problem
>> :
>>
>> Somewhere in that same page, there is a way by which you can "force" a
>> value to be passed
>> on to Tomcat as a request attribute (via JkEnvVar "name" "default-value")..
>> Can you try to pass the SSL session-id in that way, and obtain it in
>> Tomcat via
>> request.getAttribute("name"), instead of the standard request.ssl_session ?
>> And check if /then/, you get it all the time ?
>>
>> Again, this is probably not the way in which this should work. But Tomcat
>> is open-source
>> and free software, and its development and debugging benefit from the help
>> of any
>> benevolent user, particularly if that user is interested in solving a
>> particular problem
>> that he is having.
>>
>>> El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw@ice-sa.com>) va
>>> escriure:
>>>
>>>> Alex Soto wrote:
>>>>> Thank you so much but it is already set.
>>>>>
>> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
>>>>> This is so strange.
>>>> But there is also this phrase : "In order to make SSL data available for
>>>> mod_jk in Apache,
>>>> you need to set SSLOptions +StdEnvVars."
>>>>
>>>> Honestly, I have never tried this, and I am not an SSL specialist at
>> all,
>>>> and the phrase
>>>> above is a bit ambiguous.  But it seems worth a try, and I do not see it
>>>> in your
>>>> configuration.
>>>>
>>>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw@ice-sa.com>)
va
>>>>> escriure:
>>>>>
>>>>>> Mark Thomas wrote:
>>>>>>> On 07/07/2015 09:28, Alex Soto wrote:
>>>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can
see the
>> logs
>>>>>> here
>>>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3
(I have
>>>>>> created
>>>>>>>> a gist to not add here a lot of lines).
>>>>>>>>
>>>>>>>> Now the question is is it happens because of mod_jk or because
of
>>>>>> Apache?
>>>>>>>> Alex.
>>>>>>> OK. You've reached the limits of my conform zone. You need someone
>> more
>>>>>>> familiar with the httpd side of things at this point. Rainer?
>>>>>>>
>>>>>>> Mark
>>>>>> Not Rainer, but maybe this helps :
>>>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
>>>>>> Look for "JkExtractSSL".
>>>>>>
>>>>>>
>>>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<markt@apache.org>)
>> va
>>>>>>>> escriure:
>>>>>>>>
>>>>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
>>>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD
(2.4)  and
>>>> TomEE
>>>>>>>>> (in
>>>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the
same for Tomcat)
>>>>>> when I
>>>>>>>>>> configure Apache server with SSL and mod_jk.
>>>>>>>>>> In fact I am not sure where it is the problem if
in mod_jk, in
>>>> Apache
>>>>>>>>>> Server or in Tomcat, but I suspect that maybe the
problem is on
>>>> mod_jk
>>>>>>>>>> configuration.
>>>>>>>>>>
>>>>>>>>>> I am configuring the typical Apache as frontend and
TomEE(Tomcat)
>> as
>>>>>>>>>> backend solution. Currently Apache is configured
with SSL and with
>>>>>> mod_jk
>>>>>>>>>> it connects to TomEE using AJP. This works perfectly.
The problem
>> is
>>>>>> that
>>>>>>>>>> inside my code I need to get the ssl session id:
>>>>>>>>>>
>>>>>>>>>> String ssl =
>>>>>>>>>>
>> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
>>>>>>>>>> I don't know why but sometimes this attribute is
null and
>> sometimes
>>>>>> not.
>>>>>>>>> It
>>>>>>>>>> may return a null at first then stay like 10 requests
working and
>>>> then
>>>>>>>>> stop
>>>>>>>>>> working again during some requests and the get attribute
returns
>>>> null.
>>>>>>>>>> It seems that everything is configured correctly
since sometimes
>>>>>> works.
>>>>>>>>>> Have you ever found something similar or knows what
it can be
>>>>>> happening?
>>>>>>>>> Do
>>>>>>>>>> you think that maybe the problem is on client (browser)
side?
>>>>>>>>>>
>>>>>>>>>> Everything is dockerized here:
>>>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl
so you can
>> review
>>>>>>>>>> configuration files of tomcat and apache or even
run it.
>>>>>>>>>>
>>>>>>>>>> Thank you so much for your support.
>>>>>>>>> Try turning on debug logging for mod_jk. It will generate
lots of
>>>> data
>>>>>>>>> so just do it long enough to see the problem. When you
look at the
>>>> logs
>>>>>>>>> you should be able to see if the SSL Session ID is being
passed to
>>>>>>>>> Tomcat or not.
>>>>>>>>>
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message