I have tried what you mention. When SSL_Id is there both
request.getAttribute("javax.servlet, ....."); and
request.getAttribute("SSL_SESSION_ID"); returns valid sslId and in the same
way if one is null them the other one is null too so it behaviour is
consistent. About header approach always it is null, probably something in
rewrite is not set in header.Well everything is consistent, the question is if this consistency is ok or not. Alex. El dc., 8 jul. 2015 a les 14:27, André Warnier (<[email protected]>) va escriure: > Alex Soto wrote: > > Hi I have tried this approach custom JkEnvVar are pass correctly, what I > > don't know how to do is how to set an already JkEnvVar to a new JkEnvVar > > (what you mention about "force)) I have tried with %{SSL_SESSION_ID} and > $ > > but no luck (Don't know if it is because originally it was null or not). > > I think it is just > > JkEnvVar SSL_SESSION_ID "none" > > (where "none" is the default value, used if the Apache "environment > variable" > SSL_SESSION_ID was not set before you pass the request to Tomcat.) > (The default value insures that Tomcat always gets something, no matter > what) > > Then in Tomcat you do request.getAttribute("SSL_SESSION_ID") , and if you > find the value > "none", it means that SSL_SESSION_ID was not set at the httpd level. > > Note: if that does not work, there is still another method that can be > tried : setting a > HTTP request header, before proxying to Tomcat. It would work like this : > > RewriteEngine On > RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE] > RequestHeader set JK-SSL-SESSION "%{MY_SESSION_ID}e" > > and then in Tomcat you would retrieve the HTTP header "JK-SSL-SESSION". > > > > > > > Alex. > > > > El dt., 7 jul. 2015 a les 23:05, André Warnier (<[email protected]>) va > > escriure: > > > >> Alex Soto wrote: > >>> yes it is set at httpd-ssl.config > >>> > >> > https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229 > >>> which I think that is where it should be set. > >>> Everything too strange, but thanks anyway. > >> Then, and until Rainer himself jumps in, let me ask you if it would be > >> possible to make > >> one more test. As far as I understand, this is not the way it /should/ > >> work, but it may be > >> a way to find out what doesn't work, inasmuch as there is really a > problem > >> : > >> > >> Somewhere in that same page, there is a way by which you can "force" a > >> value to be passed > >> on to Tomcat as a request attribute (via JkEnvVar "name" > "default-value").. > >> Can you try to pass the SSL session-id in that way, and obtain it in > >> Tomcat via > >> request.getAttribute("name"), instead of the standard > request.ssl_session ? > >> And check if /then/, you get it all the time ? > >> > >> Again, this is probably not the way in which this should work. But > Tomcat > >> is open-source > >> and free software, and its development and debugging benefit from the > help > >> of any > >> benevolent user, particularly if that user is interested in solving a > >> particular problem > >> that he is having. > >> > >>> El dt., 7 jul. 2015 a les 19:17, André Warnier (<[email protected]>) va > >>> escriure: > >>> > >>>> Alex Soto wrote: > >>>>> Thank you so much but it is already set. > >>>>> > >> > https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171 > >>>>> This is so strange. > >>>> But there is also this phrase : "In order to make SSL data available > for > >>>> mod_jk in Apache, > >>>> you need to set SSLOptions +StdEnvVars." > >>>> > >>>> Honestly, I have never tried this, and I am not an SSL specialist at > >> all, > >>>> and the phrase > >>>> above is a bit ambiguous. But it seems worth a try, and I do not see > it > >>>> in your > >>>> configuration. > >>>> > >>>>> El dt., 7 jul. 2015 a les 12:25, André Warnier (<[email protected]>) va > >>>>> escriure: > >>>>> > >>>>>> Mark Thomas wrote: > >>>>>>> On 07/07/2015 09:28, Alex Soto wrote: > >>>>>>>> Hi Mark, SSL Session ID is not passed to Tomcat. You can see the > >> logs > >>>>>> here > >>>>>>>> https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I > have > >>>>>> created > >>>>>>>> a gist to not add here a lot of lines). > >>>>>>>> > >>>>>>>> Now the question is is it happens because of mod_jk or because of > >>>>>> Apache? > >>>>>>>> Alex. > >>>>>>> OK. You've reached the limits of my conform zone. You need someone > >> more > >>>>>>> familiar with the httpd side of things at this point. Rainer? > >>>>>>> > >>>>>>> Mark > >>>>>> Not Rainer, but maybe this helps : > >>>>>> http://tomcat.apache.org/connectors-doc/reference/apache.html > >>>>>> Look for "JkExtractSSL". > >>>>>> > >>>>>> > >>>>>>>> El dl., 6 jul. 2015 a les 12:48, Mark Thomas (<[email protected]>) > >> va > >>>>>>>> escriure: > >>>>>>>> > >>>>>>>>> On 06/07/2015 10:48, Alex Soto wrote: > >>>>>>>>>> Hello I have seen a strange behaviour in Apache HTTPD (2.4) and > >>>> TomEE > >>>>>>>>> (in > >>>>>>>>>> fact it is a Tomcat (7.0.61) so it is exactly the same for > Tomcat) > >>>>>> when I > >>>>>>>>>> configure Apache server with SSL and mod_jk. > >>>>>>>>>> In fact I am not sure where it is the problem if in mod_jk, in > >>>> Apache > >>>>>>>>>> Server or in Tomcat, but I suspect that maybe the problem is on > >>>> mod_jk > >>>>>>>>>> configuration. > >>>>>>>>>> > >>>>>>>>>> I am configuring the typical Apache as frontend and > TomEE(Tomcat) > >> as > >>>>>>>>>> backend solution. Currently Apache is configured with SSL and > with > >>>>>> mod_jk > >>>>>>>>>> it connects to TomEE using AJP. This works perfectly. The > problem > >> is > >>>>>> that > >>>>>>>>>> inside my code I need to get the ssl session id: > >>>>>>>>>> > >>>>>>>>>> String ssl = > >>>>>>>>>> > >> > (String)servletRequest.getAttribute("javax.servlet.request.ssl_session_id"); > >>>>>>>>>> I don't know why but sometimes this attribute is null and > >> sometimes > >>>>>> not. > >>>>>>>>> It > >>>>>>>>>> may return a null at first then stay like 10 requests working > and > >>>> then > >>>>>>>>> stop > >>>>>>>>>> working again during some requests and the get attribute returns > >>>> null. > >>>>>>>>>> It seems that everything is configured correctly since sometimes > >>>>>> works. > >>>>>>>>>> Have you ever found something similar or knows what it can be > >>>>>> happening? > >>>>>>>>> Do > >>>>>>>>>> you think that maybe the problem is on client (browser) side? > >>>>>>>>>> > >>>>>>>>>> Everything is dockerized here: > >>>>>>>>>> https://github.com/lordofthejars/apache-tomee-ssl so you can > >> review > >>>>>>>>>> configuration files of tomcat and apache or even run it. > >>>>>>>>>> > >>>>>>>>>> Thank you so much for your support. > >>>>>>>>> Try turning on debug logging for mod_jk. It will generate lots of > >>>> data > >>>>>>>>> so just do it long enough to see the problem. When you look at > the > >>>> logs > >>>>>>>>> you should be able to see if the SSL Session ID is being passed > to > >>>>>>>>> Tomcat or not. > >>>>>>>>> > >>>>>>>>> Mark > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> --------------------------------------------------------------------- > >>>>>>>>> To unsubscribe, e-mail: [email protected] > >>>>>>>>> For additional commands, e-mail: [email protected] > >>>>>>>>> > >>>>>>>>> > >>>>>>> > --------------------------------------------------------------------- > >>>>>>> To unsubscribe, e-mail: [email protected] > >>>>>>> For additional commands, e-mail: [email protected] > >>>>>>> > >>>>>>> > >>>>>> > --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: [email protected] > >>>>>> For additional commands, e-mail: [email protected] > >>>>>> > >>>>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: [email protected] > >>>> For additional commands, e-mail: [email protected] > >>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
