Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7E59B18FED for ; Wed, 8 Jul 2015 12:27:23 +0000 (UTC) Received: (qmail 46135 invoked by uid 500); 8 Jul 2015 12:27:19 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 46079 invoked by uid 500); 8 Jul 2015 12:27:19 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 46068 invoked by uid 99); 8 Jul 2015 12:27:19 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jul 2015 12:27:19 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3B6F2C070B for ; Wed, 8 Jul 2015 12:27:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id brDCyGIe_bcj for ; Wed, 8 Jul 2015 12:27:10 +0000 (UTC) Received: from thor.wissensbank.com (h2401423.stratoserver.net [81.169.250.120]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTP id 9D49B20DC7 for ; Wed, 8 Jul 2015 12:27:09 +0000 (UTC) Received: from thor.wissensbank.com (localhost [127.0.0.1]) by thor.wissensbank.com (Postfix) with ESMTP id 2286E15A6004E for ; Wed, 8 Jul 2015 14:26:39 +0200 (CEST) Received: by thor.wissensbank.com (Postfix, from userid 500) id 1375415A6004F; Wed, 8 Jul 2015 14:26:39 +0200 (CEST) Received: from [192.168.245.214] (HSI-KBW-46-237-244-162.hsi.kabel-badenwuerttemberg.de [46.237.244.162]) (Authenticated sender: andre.warnier@ice-sa.com) by thor.wissensbank.com (Postfix) with ESMTPA id AB5A415A6004E for ; Wed, 8 Jul 2015 14:26:38 +0200 (CEST) Message-ID: <559D16FE.4070000@ice-sa.com> Date: Wed, 08 Jul 2015 14:26:38 +0200 From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id References: <559A5CE5.1010807@apache.org> <559B94C7.7070200@apache.org> <559BA8EC.4010308@ice-sa.com> <559C097C.7070901@ice-sa.com> <559C3F11.8060004@ice-sa.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Alex Soto wrote: > Hi I have tried this approach custom JkEnvVar are pass correctly, what I > don't know how to do is how to set an already JkEnvVar to a new JkEnvVar > (what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $ > but no luck (Don't know if it is because originally it was null or not). I think it is just JkEnvVar SSL_SESSION_ID "none" (where "none" is the default value, used if the Apache "environment variable" SSL_SESSION_ID was not set before you pass the request to Tomcat.) (The default value insures that Tomcat always gets something, no matter what) Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you find the value "none", it means that SSL_SESSION_ID was not set at the httpd level. Note: if that does not work, there is still another method that can be tried : setting a HTTP request header, before proxying to Tomcat. It would work like this : RewriteEngine On RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE] RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e" and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION". > > Alex. > > El dt., 7 jul. 2015 a les 23:05, André Warnier () va > escriure: > >> Alex Soto wrote: >>> yes it is set at httpd-ssl.config >>> >> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229 >>> which I think that is where it should be set. >>> Everything too strange, but thanks anyway. >> Then, and until Rainer himself jumps in, let me ask you if it would be >> possible to make >> one more test. As far as I understand, this is not the way it /should/ >> work, but it may be >> a way to find out what doesn't work, inasmuch as there is really a problem >> : >> >> Somewhere in that same page, there is a way by which you can "force" a >> value to be passed >> on to Tomcat as a request attribute (via JkEnvVar "name" "default-value").. >> Can you try to pass the SSL session-id in that way, and obtain it in >> Tomcat via >> request.getAttribute("name"), instead of the standard request.ssl_session ? >> And check if /then/, you get it all the time ? >> >> Again, this is probably not the way in which this should work. But Tomcat >> is open-source >> and free software, and its development and debugging benefit from the help >> of any >> benevolent user, particularly if that user is interested in solving a >> particular problem >> that he is having. >> >>> El dt., 7 jul. 2015 a les 19:17, André Warnier () va >>> escriure: >>> >>>> Alex Soto wrote: >>>>> Thank you so much but it is already set. >>>>> >> https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171 >>>>> This is so strange. >>>> But there is also this phrase : "In order to make SSL data available for >>>> mod_jk in Apache, >>>> you need to set SSLOptions +StdEnvVars." >>>> >>>> Honestly, I have never tried this, and I am not an SSL specialist at >> all, >>>> and the phrase >>>> above is a bit ambiguous. But it seems worth a try, and I do not see it >>>> in your >>>> configuration. >>>> >>>>> El dt., 7 jul. 2015 a les 12:25, André Warnier () va >>>>> escriure: >>>>> >>>>>> Mark Thomas wrote: >>>>>>> On 07/07/2015 09:28, Alex Soto wrote: >>>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the >> logs >>>>>> here >>>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have >>>>>> created >>>>>>>> a gist to not add here a lot of lines). >>>>>>>> >>>>>>>> Now the question is is it happens because of mod_jk or because of >>>>>> Apache? >>>>>>>> Alex. >>>>>>> OK. You've reached the limits of my conform zone. You need someone >> more >>>>>>> familiar with the httpd side of things at this point. Rainer? >>>>>>> >>>>>>> Mark >>>>>> Not Rainer, but maybe this helps : >>>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html >>>>>> Look for "JkExtractSSL". >>>>>> >>>>>> >>>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas () >> va >>>>>>>> escriure: >>>>>>>> >>>>>>>>> On 06/07/2015 10:48, Alex Soto wrote: >>>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and >>>> TomEE >>>>>>>>> (in >>>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) >>>>>> when I >>>>>>>>>> configure Apache server with SSL and mod_jk. >>>>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in >>>> Apache >>>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on >>>> mod_jk >>>>>>>>>> configuration. >>>>>>>>>> >>>>>>>>>> I am configuring the typical Apache as frontend and TomEE(Tomcat) >> as >>>>>>>>>> backend solution. Currently Apache is configured with SSL and with >>>>>> mod_jk >>>>>>>>>> it connects to TomEE using AJP. This works perfectly. The problem >> is >>>>>> that >>>>>>>>>> inside my code I need to get the ssl session id: >>>>>>>>>> >>>>>>>>>> String ssl = >>>>>>>>>> >> (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id"); >>>>>>>>>> I don't know why but sometimes this attribute is null and >> sometimes >>>>>> not. >>>>>>>>> It >>>>>>>>>> may return a null at first then stay like 10 requests working and >>>> then >>>>>>>>> stop >>>>>>>>>> working again during some requests and the get attribute returns >>>> null. >>>>>>>>>> It seems that everything is configured correctly since sometimes >>>>>> works. >>>>>>>>>> Have you ever found something similar or knows what it can be >>>>>> happening? >>>>>>>>> Do >>>>>>>>>> you think that maybe the problem is on client (browser) side? >>>>>>>>>> >>>>>>>>>> Everything is dockerized here: >>>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can >> review >>>>>>>>>> configuration files of tomcat and apache or even run it. >>>>>>>>>> >>>>>>>>>> Thank you so much for your support. >>>>>>>>> Try turning on debug logging for mod_jk. It will generate lots of >>>> data >>>>>>>>> so just do it long enough to see the problem. When you look at the >>>> logs >>>>>>>>> you should be able to see if the SSL Session ID is being passed to >>>>>>>>> Tomcat or not. >>>>>>>>> >>>>>>>>> Mark >>>>>>>>> >>>>>>>>> >>>>>>>>> >> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>>>>> >>>>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>>> >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>> >>>>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org