https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
--- Comment #8 from Petr Brouzda <petr.brou...@gmail.com> --- (In reply to Rainer Jung from comment #7) Two reasons: 1) It makes client certificate UNUSABLE for authentication if client cert information are not present on subsequent HTTP requests. SSL session can be started OUTSIDE of my application - for example when there are more than one apps on the server. So client works with application A... and then he send request to application B. It is single SSL session for his browser, so application B won't receive client certificate info? Bad behaviour, I think. 2) This behaviour is specific for Tomcat with APR. In any other environment I know (Tomcat with standard JSSE, IBM WebSphere) it works correctly - client certificate information are present for every request, regardless of SSL sessions. So application that works correctly with Tomcat/JSSE and with IBM WebSphere will fail on Tomcat/APR. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
