William A. Rowe, Jr. wrote: > Mark Thomas wrote: >> Folks, >> >> I have been looking at bug 46950 [1]. Everything is fine with the BIO >> connector but with APR the renegotiation fails to trigger a request for >> the user's certificate. I assume that this is because the socket is >> still associated with an SSLContext where the SSLVerifyClient is >> something other than "require". >> >> I can't see any obvious ways to fix this without either modifying the >> native code or adding a new method to the native interface. Can anyone >> see differently? Any pointers to a pure Java solution would be great. > > I'd expect this to be solved in tcnative, at least exposing the correct > hooks. It's non-trivial, you might have a look at how mod_ssl handles > renegotiation.
I meant to add... tcnative or otherwise, it's critical to exhaust the client's transmission prior to initiating the renegotiation sequence. Often this means slurping the entire contents of the POST body prior to negotiating the client cert. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
