On 2011/09/07 09:38 PDT, praspa wrote: > > I'm trying to make two separate HTTPS requests to a remote host using two > client sockets and two different client certificates respectively (client > cert A and B). [...]
> From my host, I'm able to make two connections on two different sockets to > the remote host. I'm able to receive a 200 OK back from the remote web > server for both individual connections. > > My problem is that client certificate 'A' is being used for both connections > 'A' and 'B'. [...] > I placed a line in my implemented > SSLClientCertificateSelectionCallback select() function to indicate when the > call back is executed. The select() method is only ever called once during > the creation of the first SSLSocket (selecting Client Cert 'A') and never on > future SSLSocket instantiations when Client Cert B is specified. In fact, I > have to restart my app for select() to be run again. > > Is there a way I can trigger the native callback code to run select() when a > certificate is requested by the remote server? The callback method *IS* called every time a cert is requested by the remote server. The problem, in your case, is that the server is only requesting the certificate once. This is because each time the client establishes a connection to the server, it looks to see if it has previously negotiated a shared "master" secret with the server, and if so, it tells the server "Let's reuse this old secret." If the server agrees, then it does not request the certificate again, because the server has kept a copy of the certificate associated with the master secret. The only solution available through JSS (IINM) is to disable the JSS client session cache. NSS (the underlying native library) also offers another method which allows multiple client session caches, and allows each socket to be associated with a particular session cache. With this method, one may have as many "users" (client identities) as sockets, if desired. Unfortunately, JSS offers no interface by which to use that feature. So, The only method remaining for use by JSS is to disable the client cache completely. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
