RE: Force getting Client Cert from browser

[i_am <te...@yahoo.com>]

Thanks Charles.
Ok getting back to it after a looong break...

I looked at the ssl traces and looks like client is sending server an Alert
(21) Warning (close notify) but,
server (tomcat) seems to ignore it!
Is there a way (config) to force tomcat to renegotiate ?
I even tried to invoke Tomcat action code ACTION_REQ_SSL_CERTIFICATE which,
I thought should force renegotiation but still does not.
I still see the same behavior where Tomcat just uses cached certificate!!!

Versions : Tomcat 5.5.27 with Java 1.6.0_11 on SLES10.

Any help is appreciated...

Thanks




Caldarale, Charles R wrote:
> 
>> From: atul [mailto:techatool@yahoo.com]
>> Subject: Re: Force getting Client Cert from browser
>>
>> I tried invalidating httpsession but that didnt work.
> 
> I'm a bit surprised at that, but I haven't gone through the code enough to
> figure out why that didn't work.  There's a tangentially related thread
> here:
> http://marc.info/?l=tomcat-user&m=120092922008604&w=2
> 
>> Also, in a deployment where if a machine is shared by
>> multiple users and user1 forgets to close the browser before
>> leaving, the user can log right in as user1.
> 
> A problem in any environment that has shared access points, not unique to
> using certificates for client authentication.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Force-getting-Client-Cert-from-browser-tp20155194p23286972.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Force getting Client Cert from browser

[Bill Barker <wb...@wilshire.com>]

"i_am" <te...@yahoo.com> wrote in message 
news:23286972.post@talk.nabble.com...
>
> Thanks Charles.
> Ok getting back to it after a looong break...
>
> I looked at the ssl traces and looks like client is sending server an 
> Alert
> (21) Warning (close notify) but,
> server (tomcat) seems to ignore it!
> Is there a way (config) to force tomcat to renegotiate ?

Nope. Tomcat relies on the underlying JVM implementation for secure sockets 
for the most part.

> I even tried to invoke Tomcat action code ACTION_REQ_SSL_CERTIFICATE 
> which,
> I thought should force renegotiation but still does not.

As you have found out, this will only force renegotiation if the client cert 
is missing.  Anyway, most browsers treat CLIENT-CERT like BASIC and just 
resend the credentials.

> I still see the same behavior where Tomcat just uses cached certificate!!!
>
> Versions : Tomcat 5.5.27 with Java 1.6.0_11 on SLES10.
>
> Any help is appreciated...
>
> Thanks
>
>
>
>
> Caldarale, Charles R wrote:
>>
>>> From: atul [mailto:techatool@yahoo.com]
>>> Subject: Re: Force getting Client Cert from browser
>>>
>>> I tried invalidating httpsession but that didnt work.
>>
>> I'm a bit surprised at that, but I haven't gone through the code enough 
>> to
>> figure out why that didn't work.  There's a tangentially related thread
>> here:
>> http://marc.info/?l=tomcat-user&m=120092922008604&w=2
>>
>>> Also, in a deployment where if a machine is shared by
>>> multiple users and user1 forgets to close the browser before
>>> leaving, the user can log right in as user1.
>>
>> A problem in any environment that has shared access points, not unique to
>> using certificates for client authentication.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> -- 
> View this message in context: 
> http://www.nabble.com/Force-getting-Client-Cert-from-browser-tp20155194p23286972.html
> Sent from the Tomcat - User mailing list archive at Nabble.com. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org