Dear colleagues, I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
Namely, the setup works perfectly (i.e. the client certificate is sent and the servlet application can get it). But if I allow the SSL connection to time out (it happens 1 minute after the last request), the servlet application does not get the client certificate anymore. The workaround is to clear Firefox cache (Tools - Clear Recent History - 1 hour, Active logins). After this, the application will work again until the next timeout. This problem does NOT occur if I use pure Java SSL config (no APR) or when I use browser other that Firefox. >From that you can imply that this might be a Firefox problem, but I'm not so sure. Firefox works perfectly with all other HTTPS sites and also pure Java SSL config works with Firefox. So obviously this problem occurs because Tomcat libnative fails to handle some peculiarities of Firefox SSL packets. Here is my exact setup: - Debian 5 (Lenny) - libapr1 1.2.12-5+lenny1 - openssl 0.9.8g-15+lenny6 - Tomcat 6.0.24 with tomcat-native-1.1.19 - server authentication certificates (newcert.pem, newkey-no-password.pem) - client authentication certificates (cas.crt and a personal certificate signed by that) - a simple servlet "ssltest" to get the client cert: writer.println(Arrays.deepToString((X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))); - Firefox 3.6 The only change in server.xml is the connector conf: <Connector port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" SSLCertificateFile="${user.home}/newcert.pem" SSLCertificateKeyFile="${user.home}/newkey-no-password.pem" SSLVerifyClient="require" SSLVerifyDepth="2" SSLCACertificateFile="${user.home}/cas.crt" /> Now steps to reproduce: 1) go to https://localhost:8443/ssltest, it will show the client certificate 2) wait 1 minute 3) refresh browser - the application will not get the client certificate (request.getAttribute("javax.servlet.request.X509Certificate") returns null) I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443" It shows that 1 minute after the last request, there will be "Read EOF on Server socket". After that, the problem starts occuring. I have compared ssltap traces for Firefox and Safari. They look pretty similar. The only significant difference is that Safari seems to terminate the connection by sending SSL alert packet. In case of Firefox, it is the Tomcat server who sends the first SSL alert packet. I hope somebody can shed a light on that issue :) Best Regards, Albert --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org