On 13/02/2013 18:49, Will Nordmeyer wrote: > I have a scenario right now I need help with. > > My Tomcat is configured for SSL, client certificate authorization and > Certificate Revocation List checking (all outside certificates). > > We have a scenario (we've found in testing) where we do a transaction > in our application, then the user pulls his smart card out (client > certificate) and a new user comes up and puts his card in. Tomcat > isn't recognizing that a new certificate is in place and is allowing > the new user, with the new certificate to transact without validating > his credentials. > > It appears as if the old session is being utilized still by the client > (windows or unix, firefox or IE) and Tomcat. Which seems very odd. > > I would have expected the new cert would have forced a new SSL session > to be created and tomcat to puke at an attempt to submit a transaction > on the old session. > > Any thoughts/advice/guidance?
Use wireshark. If you provide it with your server's private key (should be doable in a test environment) you'll be able to see exactly what is (or isn't) going on. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org