tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Goelen <>
Subject Re: Tomcat 7 SSL Session ID
Date Tue, 04 Dec 2012 16:51:04 GMT
Thanks again for the fast response, sorry for being unclear about some
parts.. First time using the mailing list

I'm using Apache Tomcat Version 7.0.32 on a mac os x 10.7.5, I've tested it
on linux Virtual machine too, got same problems. I'm using JDK 1.6 (don't
think it has any importance here)

Alot is kind of variable, depends on how long the processing of the request
takes, for example when I put a sleep of 1 sec in my jsp code the problem
occurs after about 6 requests, in another test example where I just write
some things to a database it takes more requests, sometimes about 100,
sometimes less it's not really a fixed number I can put on it.

To be clear, it's indeed the SSL session that gets invalidated, not the
httpsession... But by the invalidation, the httpsession's identifier (which
is the SSL session id) is gone so the httpsession becomes useless as well..

In this zip file you can find 3 files:
- a log which is the ssl debug log from tomcat, there you can find an
example of the invalidation at line 2592 (log mislopen.log)
- a wireshark capture file where things go wrong are captured
(Capture_TomcatSSLFout) => here things go wrong at packet 40361 you can
best filter on "tcp.port == 8443" to filter traffic between server and
- a screenshot of where things go wrong in case you can't open the
wireshark capture (Schermafbeelding 2012-12-04 om 15.09.56)

Again many thanks!

2012/12/4 Christopher Schultz <>

> Hash: SHA1
> Vincent,
> On 12/4/12 9:15 AM, Vincent Goelen wrote:
> > To be clear, I do not want a 0ms timeout... I'm doing research
> > about how "usable" the SSL session tracking option is for session
> > management... With the standard settings it seems very unstable to
> > me, when sending alot of parallel requests I get a broken socket
> > error invalidating the ssl session and making the session with this
> > id disappear. In this case it would seem to me that it's easy to
> > create Denial of Service attacks by just sending alot of requests
> > so the user loses his session.
> Forgive me, but it sounded like you set timeout=0 and then started
> getting weird behavior. I would have totally expected weird behavior
> with timeout=0 so that's why I was asking.
> You are going to need to provide a lot more detail about the
> session-invalidation (you're talking about *SSL session* invalidation,
> not HttpSession invalidation, right?) you are observing if you want to
> get any help. Lots of technical details, logs, explicit configuration
> (even if it is the default), specific version numbers ("Tomcat 7"
> isn't good enough), etc.
> You should also try it on a couple of different platforms. What
> happens on Linux? Windows? Solaris? Whatever you've got laying around.
> > I've added a screenshot of a capture where things go wrong without
> > setting a keepAlive.
> Attachments get stripped from this list: please post the file
> somewhere else and provide a link.
> > So I send alot of requests to the server,
> How many is a lot? Serial or parallel? How many parallel threads? Be
> specific.
> - -chris
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with undefined -
> PzkAoIMGBHJickA7JynoX81B0GarvYzd
> =SAlr
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message