Nebergall, Christopher wrote:
In Apache and IIS you can specify Optional SSL Client authentication.
If Optional Client Authentication is specified should/does Mozilla
prompt the user for their PIN to access their certificates?
mozilla lets the user configure several things about SSL client auth,
including:
a) whether to choose a cert to send automatically, or to ask the user
to choose a cert each time, and
b) whether to prompt the user for the "master password" every time, or
only to prompt for it if is hasn't been used in the last N minutes, or
only to prompt for it once, and then not again until the browser is
restarted.
If you have it set to choose automatically, and not to prompt for the
password every time, then it will not prompt you if you don't have a
cert that satisfies the server's requirements, and it will not prompt
you if you do have a cert, but have already entered the password recently.
I suspect that what's happening in your case is that the first time client
auth is requested, you're being prompted, and the second time, you're not
because you've recently entered it the first time.
However, another possible explanation is that the server is not actually
requesting client auth when configured to "optionally" do so. If the
server doesn't request it, mozilla definitely won't prompt for it.
Or will
Mozilla even know that SSL client authentication is supported by the
server?
If the server requests client auth, mozilla will know that it has done
so.
I want a web server module that can do SSL Client
authentication but if it fails redirect the user to a username password
form.
For what server product and version, specifically?
Apache? IIS? iPlanet? Netscape?
I know how to do this if I have two servers (one which forced SSL
Client auth and one that supports just forms auth), but I’m trying to
figure out how to do it on just one server.
Thanks,
Christopher
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
