Hi,
I was wondering if, when configuring Apache for client-authenticated SSL (i.e.,
using client certs), there is a way to configure Apache to force a
re-authentication of each HTTPS *request*? Note, when I say "each HTTPS
request" here, I mean each individual HTTPS request, not each SSL connection.
Some background: We have an Apache webserver that is configured for
client-authenticated SSL ("SSLVerifyClient optional"). The Apache webserver is
mainly a proxy for a WebLogic app server.
In our case, the client workstations have smart card readers, and client certs
are stored on the smart cards.
We are encountering a problem where, when users access the Apache server, they
are getting re-prompted to enter their smart card PIN multiple (many) times,
even just to access the initial webpage.
I'm aware that there are some settings in the smart card "middleware" that
would cache either the users' PIN or their certificates. These settings are
currently set to not cache, and our management doesn't want to change these
settings, so I've been looking into what things could be causing this behavior,
and someone on another newgroup mentioned that it may be possible that some
webservers have a setting that would force a re-"SSL"-authentication for each
HTTPS request, but I'm not aware of a setting like this.
So, I'm wondering if there is some way to configure Apache+SSL so that this
(re-authenticating) would occur with each individual HTTPS request?
Thanks in advance,
Jim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
