Re: [users@httpd] SSL Session Id lost?
Hi I have tried to put SSLSessionTickets off to httpd.conf and httpd-ssl.conf but the result is still the same. Regards, Alex. El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (ylavic@gmail.com) va escriure: On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto asot...@gmail.com wrote: It seems that everything is configured correctly since sometimes works. Have you ever found something similar or knows what it can be happening? Do you think that maybe the problem is on client (browser) side? We say that there is something in Apache Httpd since I have modified what was printed in access_log file to print the ssl session id as second parameter. And I get next: (LogFormat %H %{SSL_SESSION_ID}e %h %l %u %t \%r\ %s %b) HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +] GET /hello/hello HTTP/1.1 200 89 This is because the SSL_SESSION_ID is not always available on the TLS side, when session tickets are used at first. It's up to the client to generate (or not) a session ID, which is only available on the first session resumption. https://tools.ietf.org/html/rfc5077#section-3.4 for the details. You may configure SSLSessionTickets off to disable session tickets management in TLS (using session IDs only). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL Session Id lost?
Ok finally it was the combination of the flag you mention with other flags. Now everything works, thank you so much. Alex. El dv., 24 jul. 2015 a les 9:51, Alex Soto (asot...@gmail.com) va escriure: Hi I have tried to put SSLSessionTickets off to httpd.conf and httpd-ssl.conf but the result is still the same. Regards, Alex. El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (ylavic@gmail.com) va escriure: On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto asot...@gmail.com wrote: It seems that everything is configured correctly since sometimes works. Have you ever found something similar or knows what it can be happening? Do you think that maybe the problem is on client (browser) side? We say that there is something in Apache Httpd since I have modified what was printed in access_log file to print the ssl session id as second parameter. And I get next: (LogFormat %H %{SSL_SESSION_ID}e %h %l %u %t \%r\ %s %b) HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +] GET /hello/hello HTTP/1.1 200 89 This is because the SSL_SESSION_ID is not always available on the TLS side, when session tickets are used at first. It's up to the client to generate (or not) a session ID, which is only available on the first session resumption. https://tools.ietf.org/html/rfc5077#section-3.4 for the details. You may configure SSLSessionTickets off to disable session tickets management in TLS (using session IDs only). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] SSL Session Id lost?
Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I configure Apache server with SSL and mod_jk. I have been asking in the Tomcat/mod_jk mailing list and after several discussion it seems that there is something strange (may be it is correct of course but we don't understand why) in Apache HTTPD side. I am configuring the typical Apache as frontend and TomEE(Tomcat) as backend solution. Currently Apache is configured with SSL and with mod_jk it connects to TomEE using AJP. This works perfectly. The problem is that inside my code I need to get the ssl session id: String ssl = (String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id); I don't know why but sometimes this attribute is null and sometimes not. It may return a null at first requests then stay like 10 requests working and then stop working again during some requests and the get attribute returns null. It seems that everything is configured correctly since sometimes works. Have you ever found something similar or knows what it can be happening? Do you think that maybe the problem is on client (browser) side? We say that there is something in Apache Httpd since I have modified what was printed in access_log file to print the ssl session id as second parameter. And I get next: (LogFormat %H %{SSL_SESSION_ID}e %h %l %u %t \%r\ %s %b) HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +] GET /hello/hello HTTP/1.1 200 89 HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb 172.17.42.1 - - [09/Jul/2015:09:15:34 +] GET /hello/hello HTTP/1.1 200 209 Notice that the first request does not contain the SSL SESSION ID although of course I have accessed using https protocol. Then after several retries (basically refreshing the browser) the ssl session id appear in the log and of course then it can be retrieved in Java part. So it seems that there is something related in httpd (maybe there is an explanation) to know why at first queries httpd doesn't set ssl session id and after some time it starts to do it. Everything is dockerized here: https://github.com/lordofthejars/apache-tomee-ssl so you can review configuration files of tomcat and httpd or even run it. You can read if you want all the discussion in Tomcat mailing list in http://mail-archives.apache.org/mod_mbox/tomcat-users/201507.mbox/browser Thank you so much for your support.
[users@httpd] SSL session id is not always set in environment var
Hello I have seen a strange behaviour in Apache HTTPD (2.4) and TomEE (in fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I configure Apache server with SSL and mod_jk. I have been asking in the Tomcat/mod_jk mailing list and after several discussion it seems that there is something strange (may be it is correct of course but we don't understand why) in Apache HTTPD side. I am configuring the typical Apache as frontend and TomEE(Tomcat) as backend solution. Currently Apache is configured with SSL and with mod_jk it connects to TomEE using AJP. This works perfectly. The problem is that inside my code I need to get the ssl session id: String ssl = (String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id); I don't know why but sometimes this attribute is null and sometimes not. It may return a null at first requests then stay like 10 requests working and then stop working again during some requests and the get attribute returns null. It seems that everything is configured correctly since sometimes works. Have you ever found something similar or knows what it can be happening? Do you think that maybe the problem is on client (browser) side? We say that there is something in Apache Httpd since I have modified what was printed in access_log file to print the ssl session id as second parameter. And I get next: (LogFormat %H %{SSL_SESSION_ID}e %h %l %u %t \%r\ %s %b) HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +] GET /hello/hello HTTP/1.1 200 89 HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb 172.17.42.1 - - [09/Jul/2015:09:15:34 +] GET /hello/hello HTTP/1.1 200 209 Notice that the first request does not contain the SSL SESSION ID although of course I have accessed using https protocol. Then after several retries (basically refreshing the browser) the ssl session id appear in the log and of course then it can be retrieved in Java part. So it seems that there is something related in httpd (maybe there is an explanation) to know why at first queries httpd doesn't set ssl session id and after some time it starts to do it. Everything is dockerized here: https://github.com/lordofthejars/apache-tomee-ssl so you can review configuration files of tomcat and httpd or even run it. You can read if you want all the discussion in Tomcat mailing list in http://mail-archives.apache.org/mod_mbox/tomcat-users/201507.mbox/browser Thank you so much for your support.