For our project we have integrated an electronical identity card( eID)
authentication. This card contains a certificate that is used to establish
an ssl two ways connection with our apache 2.0.54. This certificate is
validated by an OCSP server.
When ssl connections is established, user's certificate is forwarded to a
J2EE application server (weblogic) which create it's own security context
throug a JAAS LoginModule.
Our problem is that we have to (we don't have the choice) unloged user when
ssl session has expired.
So my problem is to notify weblogic that ssl session has expired.
My first idea was to save SSL_SESSION_ID in my J2EE Principal and then
compare this id with the current ssl session id of the request.
So if the current id is different than the id obtained during the
authentication process then the user is unloged.
However, it seems that when I configure a virtualhost in ssl one
ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my
ssl session is renewed and
my ssl session id is different. If I configure two-ways at virtualhost level
this doesn't happen.
Is there a problem for apache to maintains ssl session if we change the ssl
I read on an older post that we can't rely on SSL_SESSION_ID to know if ssl
has expired but I don't see any other way to notify my application server.
Any suggestion?

Here is my ssl.conf.For information I have specific application apart from
the main application which is responsible of the authentication.

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/home/apache-2.0.54/logs/ssl_mutex
SLRandomSeed startup builtin

ServerName host
ServerAlias host
DocumentRoot "/home/apache-2.0.54/htdocs"
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
# Server Certificate:
# Server Private Key:
SSLOptions +StrictRequire +StdEnvVars +ExportCertData
RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
SSLVerifyClient none
#Application that does the authentication

SetHandler weblogic-handler
WebLogicCluster host:7001

#main application that needs authentication

SetHandler weblogic-handler
WebLogicCluster host:7001

#Two-ways connection is only established when calling this struts action

SSLVerifyClient require
RequestHeader add WL-Proxy-SSL "true"
RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
Allow from all

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org