Alex Soto wrote:
Hi I have tried this approach custom JkEnvVar are pass correctly, what I
don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
(what you mention about "force)) I have tried with %{SSL_SESSION_ID} and $
but no luck (Don't know if it is because originally it was null or not).
I think it is just
JkEnvVar SSL_SESSION_ID "none"
(where "none" is the default value, used if the Apache "environment variable"
SSL_SESSION_ID was not set before you pass the request to Tomcat.)
(The default value insures that Tomcat always gets something, no matter what)
Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you find the value
"none", it means that SSL_SESSION_ID was not set at the httpd level.
Note: if that does not work, there is still another method that can be tried : setting a
HTTP request header, before proxying to Tomcat. It would work like this :
RewriteEngine On
RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE]
RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e"
and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION".
Alex.
El dt., 7 jul. 2015 a les 23:05, André Warnier (<a...@ice-sa.com>) va
escriure:
Alex Soto wrote:
yes it is set at httpd-ssl.config
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
which I think that is where it should be set.
Everything too strange, but thanks anyway.
Then, and until Rainer himself jumps in, let me ask you if it would be
possible to make
one more test. As far as I understand, this is not the way it /should/
work, but it may be
a way to find out what doesn't work, inasmuch as there is really a problem
:
Somewhere in that same page, there is a way by which you can "force" a
value to be passed
on to Tomcat as a request attribute (via JkEnvVar "name" "default-value")..
Can you try to pass the SSL session-id in that way, and obtain it in
Tomcat via
request.getAttribute("name"), instead of the standard request.ssl_session ?
And check if /then/, you get it all the time ?
Again, this is probably not the way in which this should work. But Tomcat
is open-source
and free software, and its development and debugging benefit from the help
of any
benevolent user, particularly if that user is interested in solving a
particular problem
that he is having.
El dt., 7 jul. 2015 a les 19:17, André Warnier (<a...@ice-sa.com>) va
escriure:
Alex Soto wrote:
Thank you so much but it is already set.
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
This is so strange.
But there is also this phrase : "In order to make SSL data available for
mod_jk in Apache,
you need to set SSLOptions +StdEnvVars."
Honestly, I have never tried this, and I am not an SSL specialist at
all,
and the phrase
above is a bit ambiguous. But it seems worth a try, and I do not see it
in your
configuration.
El dt., 7 jul. 2015 a les 12:25, André Warnier (<a...@ice-sa.com>) va
escriure:
Mark Thomas wrote:
On 07/07/2015 09:28, Alex Soto wrote:
Hi Mark, SSL Session ID is not passed to Tomcat. You can see the
logs
here
https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have
created
a gist to not add here a lot of lines).
Now the question is is it happens because of mod_jk or because of
Apache?
Alex.
OK. You've reached the limits of my conform zone. You need someone
more
familiar with the httpd side of things at this point. Rainer?
Mark
Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for "JkExtractSSL".
El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<ma...@apache.org>)
va
escriure:
On 06/07/2015 10:48, Alex Soto wrote:
Hello I have seen a strange behaviour in Apache HTTPD (2.4) and
TomEE
(in
fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)
when I
configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in
Apache
Server or in Tomcat, but I suspect that maybe the problem is on
mod_jk
configuration.
I am configuring the typical Apache as frontend and TomEE(Tomcat)
as
backend solution. Currently Apache is configured with SSL and with
mod_jk
it connects to TomEE using AJP. This works perfectly. The problem
is
that
inside my code I need to get the ssl session id:
String ssl =
(String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id");
I don't know why but sometimes this attribute is null and
sometimes
not.
It
may return a null at first then stay like 10 requests working and
then
stop
working again during some requests and the get attribute returns
null.
It seems that everything is configured correctly since sometimes
works.
Have you ever found something similar or knows what it can be
happening?
Do
you think that maybe the problem is on client (browser) side?
Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can
review
configuration files of tomcat and apache or even run it.
Thank you so much for your support.
Try turning on debug logging for mod_jk. It will generate lots of
data
so just do it long enough to see the problem. When you look at the
logs
you should be able to see if the SSL Session ID is being passed to
Tomcat or not.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
