Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6C8FAD4D9 for ; Tue, 4 Dec 2012 16:51:36 +0000 (UTC) Received: (qmail 26081 invoked by uid 500); 4 Dec 2012 16:51:33 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 26034 invoked by uid 500); 4 Dec 2012 16:51:32 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 26007 invoked by uid 99); 4 Dec 2012 16:51:31 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Dec 2012 16:51:31 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of goelenv@gmail.com designates 209.85.212.45 as permitted sender) Received: from [209.85.212.45] (HELO mail-vb0-f45.google.com) (209.85.212.45) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Dec 2012 16:51:25 +0000 Received: by mail-vb0-f45.google.com with SMTP id p1so3185427vbi.4 for ; Tue, 04 Dec 2012 08:51:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1eegvoM98iNVnEBlDh0FlEx5DBDheBED9XczB9WgZ3I=; b=b08x7gfuQ9n4cJjSe8G1hQ8tU6w6YEbudN3W0epCslUr7HIO+sgLvLM/jFv33ENCPG V5JfWgSewinHoABIEiQzhk/eQTt2/IMxsY1CrZj19Y3Lld7yfzstujqjByzIdcx3Qj3q YjovTo42Nv4/bInRVT21ZH4v9MWrQJlApcmL8KURNZIkRd5GvlxS0BEUqc9DiY4xYR9Q KlkU/BtKN/hpBbP4ggucWZyWk/ca3JgiJkKtwQeRoxxny5k3o/CcIk6VwV52WZi5zU3T ccQe+td7gZivABlPb02JmeeZRf85kHI63vTvwAb+9Mbq63Fe0SmgJdaGelQxLReHwuPr 9SGw== MIME-Version: 1.0 Received: by 10.220.241.141 with SMTP id le13mr11885718vcb.26.1354639864916; Tue, 04 Dec 2012 08:51:04 -0800 (PST) Received: by 10.58.89.134 with HTTP; Tue, 4 Dec 2012 08:51:04 -0800 (PST) In-Reply-To: <50BE2101.1030203@christopherschultz.net> References: <50B7C3A6.4010300@christopherschultz.net> <50BE2101.1030203@christopherschultz.net> Date: Tue, 4 Dec 2012 17:51:04 +0100 Message-ID: Subject: Re: Tomcat 7 SSL Session ID From: Vincent Goelen To: Tomcat Users List Content-Type: multipart/alternative; boundary=14dae9cdc32bf26c4e04d009abde X-Virus-Checked: Checked by ClamAV on apache.org --14dae9cdc32bf26c4e04d009abde Content-Type: text/plain; charset=ISO-8859-1 Thanks again for the fast response, sorry for being unclear about some parts.. First time using the mailing list I'm using Apache Tomcat Version 7.0.32 on a mac os x 10.7.5, I've tested it on linux Virtual machine too, got same problems. I'm using JDK 1.6 (don't think it has any importance here) Alot is kind of variable, depends on how long the processing of the request takes, for example when I put a sleep of 1 sec in my jsp code the problem occurs after about 6 requests, in another test example where I just write some things to a database it takes more requests, sometimes about 100, sometimes less it's not really a fixed number I can put on it. To be clear, it's indeed the SSL session that gets invalidated, not the httpsession... But by the invalidation, the httpsession's identifier (which is the SSL session id) is gone so the httpsession becomes useless as well.. http://users.telenet.be/goelenv/Archief.zip In this zip file you can find 3 files: - a log which is the ssl debug log from tomcat, there you can find an example of the invalidation at line 2592 (log mislopen.log) - a wireshark capture file where things go wrong are captured (Capture_TomcatSSLFout) => here things go wrong at packet 40361 you can best filter on "tcp.port == 8443" to filter traffic between server and client - a screenshot of where things go wrong in case you can't open the wireshark capture (Schermafbeelding 2012-12-04 om 15.09.56) Again many thanks! Vincent 2012/12/4 Christopher Schultz > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vincent, > > On 12/4/12 9:15 AM, Vincent Goelen wrote: > > To be clear, I do not want a 0ms timeout... I'm doing research > > about how "usable" the SSL session tracking option is for session > > management... With the standard settings it seems very unstable to > > me, when sending alot of parallel requests I get a broken socket > > error invalidating the ssl session and making the session with this > > id disappear. In this case it would seem to me that it's easy to > > create Denial of Service attacks by just sending alot of requests > > so the user loses his session. > > Forgive me, but it sounded like you set timeout=0 and then started > getting weird behavior. I would have totally expected weird behavior > with timeout=0 so that's why I was asking. > > You are going to need to provide a lot more detail about the > session-invalidation (you're talking about *SSL session* invalidation, > not HttpSession invalidation, right?) you are observing if you want to > get any help. Lots of technical details, logs, explicit configuration > (even if it is the default), specific version numbers ("Tomcat 7" > isn't good enough), etc. > > You should also try it on a couple of different platforms. What > happens on Linux? Windows? Solaris? Whatever you've got laying around. > > > I've added a screenshot of a capture where things go wrong without > > setting a keepAlive. > > Attachments get stripped from this list: please post the file > somewhere else and provide a link. > > > So I send alot of requests to the server, > > How many is a lot? Serial or parallel? How many parallel threads? Be > specific. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with undefined - http://www.enigmail.net/ > > iEYEARECAAYFAlC+IQEACgkQ9CaO5/Lv0PBqwACgrkEoqbtzM/jlPiy2SFKhqlIB > PzkAoIMGBHJickA7JynoX81B0GarvYzd > =SAlr > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --14dae9cdc32bf26c4e04d009abde--