The web does not use continuous connections. Typically for a
web app you do a POST request, passing in data items and getting
back the next <form> in the process, but the SSL connection is
closed at that point, and another, different, connection is
opened the next time you push a button or otherwise interact
with the web app.
[EMAIL PROTECTED] wrote:
I have an application protected by client certificate
> authentication. I would like to let the user have a user-friendly
way to change his authentication certificate, let's say he chooses
> to authenticate with certificate A, then a ssl handshake occurs
and an ssl V3 session is set up.
This is where you lose me. I don't think a "session" is set up here,
instead, the window stores whatever parameters are need to reopen a
new connection the next time the user interacts with the web app.
Are you talking about a Java app that *could* keep a TCP/IP connection
open between interactions? Are you talking about something OTHER than
the customary and usual HTTP-mediated web app?
What if the user change his mind and wants to authenticate with
certificate B? The working solution is to make him close all his
> open browser windows, restart his browser and reconnect to the page,
then he will be asked again to present a certificate and will be
> able to present certificate B.
Well, this really has nothing to do with SSL, it's the behavior of
the particular web browser you are talking about, that the act of
quitting and restarting the browser loses that "state" information.
Is there a simpler way for the user to ask him again to authenticate
> and to let him choose a different certificate?
For a login/password type of authentication, you always have the
> choice to click on a Log out link that kills your session, and
> give you a chance to authenticate again with a different login/pwd.
Can we imagine with client certificate authentication a same kind
> of way to log out and to authenticate with a different user.
The idea of one-user one-PC was the standard in the early days of
programming for microcomputers, so the idea of "user" is either not
there at all or kluged in after the fact. The only systems I know
that really have a hard idea of "user" are Linux and MacOSX.
So it's not suprising that the idea of "changing users" was never
implemented.
BTW, the implementation on MacOSX 10.3 ("Panther") is really neat.
I can have multiple persons logged onto my laptop at one time,
then switch between them by giving the password each time one
wants to switch, so it's like switching the same keyboard and
display among multiple running shell processes. Anyway, its
really neat when you want to serially share the laptop between
a set of users without having to log off and on again.
On IE, there is a button in Tools / Internet Options / Content,
> called Clear SSL Cache, that does a similar action than a
> log out button, I haven't been able to find a similar button
> on Mozilla-like browsers... Do you know of any button of this
kind on Mozilla ? This would enable logging out from a client
> initiative.
Again, this reinforces the idea that it is the idiosyncratic
behaviour of the browser that you are asking about, not anything
in either mod_ssl nor the ssl protocol proper.
From a server perspective : is it possible to send a signal
> to apache mod_ssl to tell him to close the SSL session,
so that the client goes back to an unauthenticated session.
> If he wants to access a proctected page again, he would have
> a choice of choosing a different certificate.
Again, the standard model does NOT use a continuously-open TCP/IP
connection. You come in, exchange data for a new form, and then
the connection is closed. So there's no question of any kind of
"closing the session". The session is already closed.
What you'd be looking for is some means of "poisoning" the saved
data in the browser, so it would be rejected the next time it
is used to try to open the connection (and hope that the browser
does the "sane" thing, forgetting its saved information and going
back to square one and trying from first principles).
Also, it's probably worth saying that the whole idea of Open Source
is that you can not only read the source code for Mozilla but
even write your own modifications, so you could MAKE a version of
Mozilla that does what you believe the "right thing" to be.
Although it's also probably worth saying that you need to learn a
bit more about how the web stuff really works "under the hood"
before taking on such a project.
I hope this gets the idea across that the reason you're running
into such unfriendlyness on the web is that you seem to be
laboring under such a large set of misconceptions that nobody
seems to know quite where to start in trying to straighten you out?
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
