I have a servlet which performs some operations with the certificate used for SSL client authentication. My environment is Apache v1.3.27 forwarding requests to a Tomcat v4.0.3 through a mod_jk-3.3-ap13.
At normal use it works fine, but at heavy load it seems it's mixing the client authentication certificates. By "mixing", I mean setting the same certificate for 3/4 requests.
My doPost() method looks like this:
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
X509Certificate cert =
((X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))[0];
log("Titular of certificate with SerialNumber " + cert.getSerialNumber()
+ " issued by " + cert.getIssuerDN().getName()
+ " to " + cert.getSubjectDN().getName() + " is accessing...");
...
As you can see, the cert variable is local scoped to the method (not instance scoped which could lead to mixes), so there's no way for the certificates to be mixed in my servlet. Therefore, my bet is that mod_ssl or mod_jk has a concurrency problem.
At heavy load, I can see on the log files several consecutive entries for the same certificate and I can almost assure they are not made by the same user.
Did anyone ever experienced the same problem?
Thanks for any help you can provide.
Regards,
Nuno Ponte
smime.p7s
Description: S/MIME Cryptographic Signature