We have a problem with RESTfull service running on Tomcat + APR/native. Server requires client authentication by certificate. The problem appears only if client supports TLS with session tickets (RFC 5077).
Here is what happens: when client performs initial handshake (full handshake) req.getAttribute("javax.servlet.request.X509Certificate")
returns a valid certificate. Service looks up certificate in database and processes request if and only if an account identified by the certificate has sufficient amount of money.
During initial full handshake server transmits a SessionTicket towards client.
When client performs second request it transmits a SessionTicket towards server. Having a SessionTicket server does not make a CertificateRequest, so client doesn't transmit its Certificate. req.getAttribute("javax.servlet.request.X509Certificate")
returns null.
The question is: what is the best practice to identify the client by its certificate (mutual TLS authentication)? Is there any way to inject some information into SessionTicket during initial full handshake and extract it during resumed handshake?
UPD1. Available request attributes during full handshake:
javax.servlet.request.ssl_session=219FE...
javax.servlet.request.ssl_session_id=219FE...
javax.servlet.request.key_size=256
javax.servlet.request.X509Certificate=[Ljava.security.cert.X509Certificate;@2a0ad546
javax.servlet.request.cipher_suite=DHE-RSA-AES256-SHA
Available request attributes during resumed TLS handshake:
javax.servlet.request.key_size=256
javax.servlet.request.cipher_suite=AES256-SHA