tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Rekha...@Dell.com>
Subject RE: FW: tomcat creating new ssl session id for same session
Date Fri, 29 Nov 2019 05:59:00 GMT
Highly Restricted - Confidential

Hi Chris,

Some more details added below. Please let me know id any more details needed.

Thanks,
Rekha MS

-----Original Message-----
From: Christopher Schultz <chris@christopherschultz.net> 
Sent: Thursday, November 28, 2019 7:19 PM
To: users@tomcat.apache.org
Subject: Re: FW: tomcat creating new ssl session id for same session

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rekha,

On 11/28/19 01:33, Rekha.MS@Dell.com wrote:
> Thanks for your prompt reply. Please find my response inline.

It seems you forgot to include any useful responses.

> -----Original Message----- From: Christopher Schultz 
> <chris@christopherschultz.net> Sent: Wednesday, November 27, 2019
> 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat creating 
> new ssl session id for same session
> 
> Rekha,
> 
> On 11/27/19 05:15, Rekha.MS@Dell.com wrote:
>> I am using javax.servlet.request.ssl_session_id for session 
>> validation. But tomcat creating new ssl session id and user session 
>> validation is failing.
> 
> How are you performing the validation?
> 
> Rekha MS: Ssl_session_id is used for validation.

Yes... HOW, exactly?
Rekha MS: ssl_session_id is validated with the previous ssl_sesion_id stored. For the same
user session ,assumption is ssl_session_id is same for all requests.
But now I am seeing ssl_session_id is changing for the same user session.

> What is the order-of-events that you are observing?
> 
> Rekha MS : Ssl_session_id is same for some requests and then it 
> changes after some time.

That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake
establishes an ssl_session_id and the the next request seems to change the session id. Or
maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and
come out of sleep?
Rekha MS: TLS handshake establishes an ssl_session_id and the next request in the same user
session seems to change the session id

Please give some details or nobody will be able to help you.

> What version of Tomcat, and what kind of <Connector> are you using?
> 
> Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be
> specific)

That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat
with published vulnerabilities and many many bug fixes?
Rekha MS:  I have upgraded to 9.0.21 version.

Have you read the changelog? Perhaps there are interesting things in there related to your
issue.

Are you using OpenSSL or the pure-Java cryptographic provider?
Rekha MS :Java cryptographic provider.

>> Please let me know when tomcat creates new ssl session id and how by 
>> mandate it to use same ssl session id for same user session
> 
> TLS session ids must change periodically when certain renegotiations 
> occur. This is actually a security feature. I'm not sure it is 
> possible to disable it entirely> Rekha MS: what triggers these 
> renegotiations?

If anything about the connection must change -- such as the server requesting a client certificate
-- a renegotiation occurs. The session id is not required to change, but it may change.

The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat
does not request renegotiation unless a client certificate is requested/required for authentication
and the client didn't volunteer one during the handshake.
Rekha MS: We do not have client certificate, does this cause renegotiations to happen. This
was not happening before. From which release is such request renegotiation enforced.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3f0GEACgkQHPApP6U8
pFgz0Q/+Ltbz35ZyHwGU1eupyP7K921l3FNVssH/PAbuX82aZhAZFVM19vaRXTDX
vQJrAV4OBF8CSXZ45McjPVaBjensuK2cGbPc46LCXNtGEkB8hjoMH1EayCDc8K8k
PaXgQKWczsitcd7dchjQOV6inK3CTwjD9yK93eUrAlJDbzjUbTOoMVf4Z1XmrOJw
/k2Y1Om8140br9EkEgIELTQr72OcbGPsQTEl780Gq2kFv1PC8mxgbpNZbqCsvmPa
YDMQLEstlmmaF+yztL46EGRVbVopxcJLT4kpkr4/Qk5Al6weVRlvZInaDyXJn9IJ
t3k5cDHhAUG4Tv477zHche+aexDimmlsMA8FKclp30iV4h8383TCURXEQkGEmnm9
Y+Kx9lneWuwCIuNJvdInl7seao9iCaWuuYbekVhpBkk9sLLO++HzFe0+w4kSqZ8y
qPV+ttmXt7kwkFbzXvlyrbs8GAEIX+H1m/vVa+OQghF27Qg8hnG2NiV6VsfU8/2i
DCfUp9+EjD6w5V+mEuNjZTo9+Miz5Cxl42G2QmbcojE0HiPDZ073gRwT60qJJvxp
APCmjIi5XT/yGjw/RUUR9Lxh4wNzdZF7uEduRyYJtkkc2pvVtiGW8ZWoW0UL3M/T
nznBlddv7I0SqtvHGpnye+lMZXwhNEAm6sat0/UzxVfGeaLjlgY=
=D24+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Mime
View raw message