On 18.02.2010 02:45, Eddy Nigg wrote:
If you currently have a https site that's partly open and partly
accessed only with client authentication, I think the only reasonable
way out is to break it in two.
Not sure what you mean, but the server doesn't accept client initiated
renegotiation. Renegotiation happens only upon client certificate
authentication ONCE per authenticated session. The session is handled
at the application layer, not SSL session.
Have secure.startcom.com with no cert and authent.secure.startcom.com
with client cert.
That's not the issue, there is only one secure mode, during
authentication and thereafter. Client authentication happens once when
you authenticate.
Eddy, describing the solution in more detail:
- configure secure.startcom.com to never request client auth
- configure authent.secure.startcom.com to always request client auth
This avoids having to renegotiate, because the require authentication
level is set during the initial handshake to the server.
This requires that you split your content into two separate servers,
jump to authent.secure.startcom as soon as a user wishes to use a cert,
and remain at secure.startcom while you don't need the user to be
authenticated.
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto