-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rekha,
On 11/28/19 01:33, rekha...@dell.com wrote: > Thanks for your prompt reply. Please find my response inline. It seems you forgot to include any useful responses. > -----Original Message----- From: Christopher Schultz > <ch...@christopherschultz.net> Sent: Wednesday, November 27, 2019 > 11:15 PM To: users@tomcat.apache.org Subject: Re: FW: tomcat > creating new ssl session id for same session > > Rekha, > > On 11/27/19 05:15, rekha...@dell.com wrote: >> I am using javax.servlet.request.ssl_session_id for session >> validation. But tomcat creating new ssl session id and user >> session validation is failing. > > How are you performing the validation? > > Rekha MS: Ssl_session_id is used for validation. Yes... HOW, exactly? > What is the order-of-events that you are observing? > > Rekha MS : Ssl_session_id is same for some requests and then it > changes after some time. That was clear from your original post. I'm asking for SPECIFICS. For example, the TLS handshake establishes an ssl_session_id and the the next request seems to change the session id. Or maybe the session id changes every 30 minutes? OR after you suspend the OS on the client and come out of sleep? Please give some details or nobody will be able to help you. > What version of Tomcat, and what kind of <Connector> are you > using? > > Rekha MS: Tomcat 8.5.15 , Nio connector(Http11NioProtocol to be > specific) That is a quite old version of Tomcat. Is there a reason you are 2.5-year-old version of Tomcat with published vulnerabilities and many many bug fixes? Have you read the changelog? Perhaps there are interesting things in there related to your issue. Are you using OpenSSL or the pure-Java cryptographic provider? >> Please let me know when tomcat creates new ssl session id and how >> by mandate it to use same ssl session id for same user session > > TLS session ids must change periodically when certain > renegotiations occur. This is actually a security feature. I'm not > sure it is possible to disable it entirely> Rekha MS: what triggers > these renegotiations? If anything about the connection must change -- such as the server requesting a client certificate -- a renegotiation occurs. The session id is not required to change, but it may change. The client or the server may request renegotiation at any time for any reason. AFAIK, Tomcat does not request renegotiation unless a client certificate is requested/required for authentication and the client didn't volunteer one during the handshake. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3f0GEACgkQHPApP6U8 pFgz0Q/+Ltbz35ZyHwGU1eupyP7K921l3FNVssH/PAbuX82aZhAZFVM19vaRXTDX vQJrAV4OBF8CSXZ45McjPVaBjensuK2cGbPc46LCXNtGEkB8hjoMH1EayCDc8K8k PaXgQKWczsitcd7dchjQOV6inK3CTwjD9yK93eUrAlJDbzjUbTOoMVf4Z1XmrOJw /k2Y1Om8140br9EkEgIELTQr72OcbGPsQTEl780Gq2kFv1PC8mxgbpNZbqCsvmPa YDMQLEstlmmaF+yztL46EGRVbVopxcJLT4kpkr4/Qk5Al6weVRlvZInaDyXJn9IJ t3k5cDHhAUG4Tv477zHche+aexDimmlsMA8FKclp30iV4h8383TCURXEQkGEmnm9 Y+Kx9lneWuwCIuNJvdInl7seao9iCaWuuYbekVhpBkk9sLLO++HzFe0+w4kSqZ8y qPV+ttmXt7kwkFbzXvlyrbs8GAEIX+H1m/vVa+OQghF27Qg8hnG2NiV6VsfU8/2i DCfUp9+EjD6w5V+mEuNjZTo9+Miz5Cxl42G2QmbcojE0HiPDZ073gRwT60qJJvxp APCmjIi5XT/yGjw/RUUR9Lxh4wNzdZF7uEduRyYJtkkc2pvVtiGW8ZWoW0UL3M/T nznBlddv7I0SqtvHGpnye+lMZXwhNEAm6sat0/UzxVfGeaLjlgY= =D24+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
