Could you be a little bit more precise on how i can do such a trick?
Can the client send a signal to the server to make it force a new handshake?
Nicolas.
-------- Message d'origine--------
De: Baber Amin [mailto:[EMAIL PROTECTED]
Date: lun. 17/05/2004 17:01
À: Villoutreix, Nicolas; [EMAIL PROTECTED]
Cc:
Objet: Re: How to log out from an SSL V3 session?
You can always force a new handshake, by issuing a "Hello request" from
the server, and clearing the cached session on the server side.
Thanks
-Baber
:)
>>> [EMAIL PROTECTED] 5/17/2004 8:36:57 AM >>>
I already posted this question in [EMAIL PROTECTED] , got no
answer so far.
What mailing-list is the most suited to deal with SSL issues, mostly
apache-ssl points?
httpd.apache.org does adress some of the issues, mod_ssl mailing list
seems not to be very popular, thought openssl was dealing with only
openssl issues, but it seems to be also about mod_ssl...
Here is my point :
I have an application protected by client certificate authentication. I
would like to let the user have a user-friendly way to change his
authentication certificate, let's say he chooses to authenticate with
certificate A, then a ssl handshake occurs and an ssl V3 session is set
up. What if the user change his mind and wants to authenticate with
certificate B.
The working solution is to make him close all his open browser windows,
restart his browser and reconnect to the page, then he will be asked
again to present a certificate and will be able to present certificate
B.
Is there a simpler way for the user to ask him again to authenticate
and to let him choose a different certificate?
For a login/password type of authentication, you always have the choice
to click on a Log out link that kills your session, and give you a
chance to authenticate again with a different login/pwd.
Can we imagine with client certificate authentication a same kind of
way to log out and to authenticate with a different user.
On IE, there is a button in Tools / Internet Options / Content, called
Clear SSL Cache, that does a similar action than a log out button, I
haven't been able to find a similar button on Mozilla-like browsers...
Do you know of any button of his kind on Mozilla ?
This would enable logging out from a client initiative.
From a server perspective : is it possible to send a signal to apache
mod_ssl to tell him to close the SSL session, so that the client goes
back to an unauthenticated session. If he wants to access a proctected
page again, he would have a choice of choosing a different certificate.
Thanks for any ideas,
cheers.
Nicolas.
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any other use of the email by you is prohibited.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use of the
email by you is prohibited.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
