tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Soto <asot...@gmail.com>
Subject Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id
Date Wed, 08 Jul 2015 08:25:34 GMT
Hi I have tried this approach custom JkEnvVar are pass correctly, what I
don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
(what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $
but no luck (Don't know if it is because originally it was null or not).

Alex.

El dt., 7 jul. 2015 a les 23:05, André Warnier (<aw@ice-sa.com>) va
escriure:

> Alex Soto wrote:
> > yes it is set at httpd-ssl.config
> >
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
> > which I think that is where it should be set.
> > Everything too strange, but thanks anyway.
>
> Then, and until Rainer himself jumps in, let me ask you if it would be
> possible to make
> one more test. As far as I understand, this is not the way it /should/
> work, but it may be
> a way to find out what doesn't work, inasmuch as there is really a problem
> :
>
> Somewhere in that same page, there is a way by which you can "force" a
> value to be passed
> on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").
> Can you try to pass the SSL session-id in that way, and obtain it in
> Tomcat via
> request.getAttribute("name"), instead of the standard request.ssl_session ?
> And check if /then/, you get it all the time ?
>
> Again, this is probably not the way in which this should work. But Tomcat
> is open-source
> and free software, and its development and debugging benefit from the help
> of any
> benevolent user, particularly if that user is interested in solving a
> particular problem
> that he is having.
>
> >
> > El dt., 7 jul. 2015 a les 19:17, André Warnier (<aw@ice-sa.com>) va
> > escriure:
> >
> >> Alex Soto wrote:
> >>> Thank you so much but it is already set.
> >>>
> >>
> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
> >>> This is so strange.
> >> But there is also this phrase : "In order to make SSL data available for
> >> mod_jk in Apache,
> >> you need to set SSLOptions +StdEnvVars."
> >>
> >> Honestly, I have never tried this, and I am not an SSL specialist at
> all,
> >> and the phrase
> >> above is a bit ambiguous.  But it seems worth a try, and I do not see it
> >> in your
> >> configuration.
> >>
> >>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<aw@ice-sa.com>)
va
> >>> escriure:
> >>>
> >>>> Mark Thomas wrote:
> >>>>> On 07/07/2015 09:28, Alex Soto wrote:
> >>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see
the
> logs
> >>>> here
> >>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I
have
> >>>> created
> >>>>>> a gist to not add here a lot of lines).
> >>>>>>
> >>>>>> Now the question is is it happens because of mod_jk or because
of
> >>>> Apache?
> >>>>>> Alex.
> >>>>> OK. You've reached the limits of my conform zone. You need someone
> more
> >>>>> familiar with the httpd side of things at this point. Rainer?
> >>>>>
> >>>>> Mark
> >>>> Not Rainer, but maybe this helps :
> >>>> http://tomcat.apache.org/connectors-doc/reference/apache.html
> >>>> Look for "JkExtractSSL".
> >>>>
> >>>>
> >>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<markt@apache.org>)
> va
> >>>>>> escriure:
> >>>>>>
> >>>>>>> On 06/07/2015 10:48, Alex Soto wrote:
> >>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD
(2.4)  and
> >> TomEE
> >>>>>>> (in
> >>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same
for Tomcat)
> >>>> when I
> >>>>>>>> configure Apache server with SSL and mod_jk.
> >>>>>>>> In fact I am not sure where it is the problem if in
mod_jk, in
> >> Apache
> >>>>>>>> Server or in Tomcat, but I suspect that maybe the problem
is on
> >> mod_jk
> >>>>>>>> configuration.
> >>>>>>>>
> >>>>>>>> I am configuring the typical Apache as frontend and
TomEE(Tomcat)
> as
> >>>>>>>> backend solution. Currently Apache is configured with
SSL and with
> >>>> mod_jk
> >>>>>>>> it connects to TomEE using AJP. This works perfectly.
The problem
> is
> >>>> that
> >>>>>>>> inside my code I need to get the ssl session id:
> >>>>>>>>
> >>>>>>>> String ssl =
> >>>>>>>>
> >>
> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
> >>>>>>>> I don't know why but sometimes this attribute is null
and
> sometimes
> >>>> not.
> >>>>>>> It
> >>>>>>>> may return a null at first then stay like 10 requests
working and
> >> then
> >>>>>>> stop
> >>>>>>>> working again during some requests and the get attribute
returns
> >> null.
> >>>>>>>> It seems that everything is configured correctly since
sometimes
> >>>> works.
> >>>>>>>> Have you ever found something similar or knows what
it can be
> >>>> happening?
> >>>>>>> Do
> >>>>>>>> you think that maybe the problem is on client (browser)
side?
> >>>>>>>>
> >>>>>>>> Everything is dockerized here:
> >>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so
you can
> review
> >>>>>>>> configuration files of tomcat and apache or even run
it.
> >>>>>>>>
> >>>>>>>> Thank you so much for your support.
> >>>>>>> Try turning on debug logging for mod_jk. It will generate
lots of
> >> data
> >>>>>>> so just do it long enough to see the problem. When you look
at the
> >> logs
> >>>>>>> you should be able to see if the SSL Session ID is being
passed to
> >>>>>>> Tomcat or not.
> >>>>>>>
> >>>>>>> Mark
> >>>>>>>
> >>>>>>>
> >>>>>>>
> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>
> >>>>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message