Arnaud wrote:
I am using Mozilla to connect to web services (via xmlhttprequest). I connect to both secure and non secure services. For the secure ones, I use both server and client certificates.
Mozilla offers two options: 1- Mozilla selects which client cert to use automatically 2- Mozilla prompts the user for which certif to use
It turns that in the second case, it only prompts the first time.
Once you picked a given client cert to be used for a site, you cannot change it, or rather, Mozilla does not ask you to choose which cert to use.
This is because the first time you connect to the server, the client and
the server create a "session", and both of them remember that session
in their respective local "session cache", and reuse it for subsequent connections. If the client authenticated, then the server remembers the client's cert and associates it with the session for the lifetime of the session. Reusing the session greatly speeds up the SSL handshake for the subsequent connections, which improves server throughput. Multiple
connections in parallel between the same client and server can share the
same session.
Session reuse is very helpful in the typical case where one connection fetches a web page, and the next several connections fetch associated images and/or javascript scripts.
When a session is reused, no certificates are sent in either direction because the certs have previously been cached. Since no certs are sent, there are no prompts to choose certs.
Is it a bug?
No, it's a design feature of the SSL protocol.
Is there a preference to force Mozilla to ask EVERY TIME for which cert to use?
No. You don't really want to be prompted to authenticate for every image, even though they go through separate connections.
If not, is there a way to programmatically (via JavaScript) to make Mozilla forget about the previous choice (the choice must be stored somewhere)?
The decision to reuse an old session is negotiated. The client and server must both agree to do so, or else a new session is negotiated. A given server can choose to never cache sessions and never reuse sessions. If you want your server to never reuse sessions, you should make it behave that way.
-- Nelson B _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
