Reported as Bug 58244 - two way SSL loses client certificate after a few requests
https://bz.apache.org/bugzilla/show_bug.cgi?id=58244 David Balažic > -----Original Message----- > From: David Balažic > Sent: 7. August 2015 17:38 > To: users@tomcat.apache.org > Subject: Firefox SSL with APR - losing client certificate > Importance: Low > > Hi! > > I use tomcat 6.0.44 wit APR on Windows x64. > I set up SSLVerifyClient="optional" and since then encounter the following > problem with Firefox 39.0.03 (IE works OK): > > On first access Firefox shows the client certificate selection dialog. I > select a > certificate and continue. The web application "sees" the selected certificate > and show a proper response page. > But on next access (I click a link) the client certificate is not visible to > the > application any more. It gets null from the method call > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate") > > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 > (similar) > And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] > Client certificate gone after 1 minute timeout (SSL, APR)" > (even more similar, except for me it fails on next access without a minute of > waiting) > As suggested in the second link, clearing cache and authentication in the > browser is a workaround that works. Kind of as one has to select the > certificate again and do it before every click on a link. > > Strange, just now it worked fine for a few minutes. > > Is this some known issue? > > Without APR, using JSSE, it works fine (and did so for years). > > This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to > apache-tomcat-6.0.44-windows-x64.zip (with or without APR). > I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version). > > Firefox version 39.0, today updated to 39.0.3 > > The Connector line from server.xml: > > <Connector SSLCACertificateFile="C:/CA_list.pem" > SSLCertificateFile="C:/key_public.pem" > SSLCertificateKeyFile="C:/key_private.pem" > SSLEnabled="true" SSLPassword="changeit" > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" > SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" > port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > scheme="https" > secure="true" /> > > > Regards, > David Balažic > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org