Hello.
I am a member of the sysadmin team at a large government institution and
we're stuck with an uncommon problem regarding secure connection
handling in Apache. I would be very grateful if you could spend a few
minutes to hear me out.
Our applications use apache+mod_ssl as a front-end for the Weblogic
cluster and the users authenticate themselves with a certificate stored
on a smartcard. The problem is that once the user logs out from the
application, we must immediately close the SSL connection and also
remove the connection data from Apache's internal cache to prevent SSL
connection resume without re-authentication.
I understand that this is a dire violation of best practices and Apache
architecture to create such a hack but unfortunately the alternative
solutions are already exhausted. We cannot control the user software or
browser choice, which would be the place for a normal solution. Also the
user populace is large (10k+) and varied so user education on how to
properly treat a smartcard is limited at best.
I believe i have researched the apache configuration options extensively
and i haven't found a clue how to do it. I cannot disable the session
cache because that would force users to constantly type in their
certificate PIN code for reauthentication and same goes for playing with
the SSLSessionCacheTimeout .
So far i've learned that i should call
/void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
/in mod_ssl code somehow but i don't know how or when. Extension modules
like mod_python etc. won't allow me so a direct hack of apache code is
required. The applications can direct user to a fixed URL on logout so
perhaps a handler that would invalidate and cleanup user SSL session
after that request has been processed?
The whole thing obviously seems impractical at best but i'm
unfortunately under pressure from the management to find, or outline the
cost for, a solution. A few words about whether i'm even on the correct
path here or have missed a much better way of achieving the desired
result would be greatly appreciated.
Sincerely yours,
Tanel Unt
System Administrator
Estonian Tax and Customs Board
