On Wed, Jul 02, 2003 at 02:31:26PM +1200, Jason Haar wrote: > I've seen it all before. The problem with HTTPS+"client auth" is that > clients don't know which page is going to require a client cert - so they > default to making a standard HTTPS call first, get the SSL-error back saying > they need to send a cert - then make the connection again with the cert -
On first reading, I thought you were saying this: A browser makes an SSL connection to a server, makes a HTTP request over that connection, gets an SSL client-cert request, goes huh?, breaks off the SSL connection, then retries. But this doesn't sound right, since the SSL client cert exchange happens at a protocol layer lower than HTTP(S), and should be transparent to it. My (to-be-released) ZServerSSL for Zope with client cert authentication does not seem to exhibit this problem: I make a connection, the browser asks me which cert to use, I select one, then HTTPS things happen. When I leave a browser HTTPS connection (meaning a TCP connection to the SSL port of my Zope server) idle, evetually the server times the connection out. If I then click on some link in the browser window, the browser again asks me to select a cert, then does its thing again. (I've set up my browser to ask for a cert everytime for testing purposes.) Which server are you running? -- Ng Pheng Siong <[EMAIL PROTECTED]> http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
