tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: FW: tomcat creating new ssl session id for same session
Date Fri, 29 Nov 2019 05:59:00 GMT
Highly Restricted - Confidential

Hi Chris,

Some more details added below. Please let me know id any more details needed.

Rekha MS

-----Original Message-----
From: Christopher Schultz <> 
Sent: Thursday, November 28, 2019 7:19 PM
Subject: Re: FW: tomcat creating new ssl session id for same session

Hash: SHA256


On 11/28/19 01:33, wrote:
> Thanks for your prompt reply. Please find my response inline.

It seems you forgot to include any useful responses.

> -----Original Message----- From: Christopher Schultz 
> <> Sent: Wednesday, November 27, 2019
> 11:15 PM To: Subject: Re: FW: tomcat creating 
> new ssl session id for same session
> Rekha,
> On 11/27/19 05:15, wrote:
>> I am using javax.servlet.request.ssl_session_id for session 
>> validation. But tomcat creating new ssl session id and user session 
>> validation is failing.
> How are you performing the validation?
> Rekha MS: Ssl_session_id is used for validation.

Yes... HOW, exactly?
Rekha MS: ssl_session_id is validated with the previous ssl_sesion_id stored. For the same
user session ,assumption is ssl_session_id is same for all requests.
But now I am seeing ssl_session_id is changing for the same user session.

> What is the order-of-events that you are observing?
> Rekha MS : Ssl_session_id is same for some requests and then it 
> changes after some time.

That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake
establishes an ssl_session_id and the the next request seems to change the session id. Or
maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and
come out of sleep?
Rekha MS: TLS handshake establishes an ssl_session_id and the next request in the same user
session seems to change the session id

Please give some details or nobody will be able to help you.

> What version of Tomcat, and what kind of <Connector> are you using?
> Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be
> specific)

That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat
with published vulnerabilities and many many bug fixes?
Rekha MS:  I have upgraded to 9.0.21 version.

Have you read the changelog? Perhaps there are interesting things in there related to your

Are you using OpenSSL or the pure-Java cryptographic provider?
Rekha MS :Java cryptographic provider.

>> Please let me know when tomcat creates new ssl session id and how by 
>> mandate it to use same ssl session id for same user session
> TLS session ids must change periodically when certain renegotiations 
> occur. This is actually a security feature. I'm not sure it is 
> possible to disable it entirely> Rekha MS: what triggers these 
> renegotiations?

If anything about the connection must change -- such as the server requesting a client certificate
-- a renegotiation occurs. The session id is not required to change, but it may change.

The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat
does not request renegotiation unless a client certificate is requested/required for authentication
and the client didn't volunteer one during the handshake.
Rekha MS: We do not have client certificate, does this cause renegotiations to happen. This
was not happening before. From which release is such request renegotiation enforced.

- -chris
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:
View raw message