We have an application running on Tomcat 6.0.32 and using JSSE (Java 1.6.0_26) for cryptographic communication (HTTPS). Recently, we've being testing with the APR connector and OpenSSL.
How can we verify that the SSL sessions are being cached/reused or generated on every connection when using APR? Does APR writes SSL-related information to some log file?
When using JSSE we can see SSL handshake and session information in the tomcat log file (catalina.out) by passing -Djavax.net.debug=all -Djavax.net.ssl=ssl.handshake to the JVM. These flags don't work when using APR though.
Command:
$ openssl s_client -reconnect -state -debug
shall give you some information as of OpenSSL session caching.
It would be nice if you could post the OpenSSL version your server is running. Concerning session caching, there are well known vulnerabilities in some releases.
Regards.