For some versions of MSIE, I think ClearAuthenticationCache would work.
I have not tested this myself but here is a link to article that talks about it:
http://msdn.microsoft.com/library/default.asp?url="">
Thanx
Himanshu Soni
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Stephen Henson
Sent: Monday, May 17, 2004 9:30 AM
To: [EMAIL PROTECTED]
Subject: [BULK] - Re: How to log out from an SSL V3 session?
On Mon, May 17, 2004, [EMAIL PROTECTED] wrote:
> I already posted this question in [EMAIL PROTECTED] , got no answer so
> far. What mailing-list is the most suited to deal with SSL issues, mostly
> apache-ssl points? httpd.apache.org does adress some of the issues, mod_ssl
> mailing list seems not to be very popular, thought openssl was dealing with
> only openssl issues, but it seems to be also about mod_ssl...
>
> Here is my point :
>
> I have an application protected by client certificate authentication. I
> would like to let the user have a user-friendly way to change his
> authentication certificate, let's say he chooses to authenticate with
> certificate A, then a ssl handshake occurs and an ssl V3 session is set up.
> What if the user change his mind and wants to authenticate with certificate
> B.
>
> The working solution is to make him close all his open browser windows,
> restart his browser and reconnect to the page, then he will be asked again
> to present a certificate and will be able to present certificate B.
>
> Is there a simpler way for the user to ask him again to authenticate and to
> let him choose a different certificate? For a login/password type of
> authentication, you always have the choice to click on a Log out link that
> kills your session, and give you a chance to authenticate again with a
> different login/pwd. Can we imagine with client certificate authentication
> a same kind of way to log out and to authenticate with a different user.
>
> On IE, there is a button in Tools / Internet Options / Content, called Clear
> SSL Cache, that does a similar action than a log out button, I haven't been
> able to find a similar button on Mozilla-like browsers... Do you know of any
> button of his kind on Mozilla ? This would enable logging out from a client
> initiative.
> >From a server perspective : is it possible to send a signal to apache
> >mod_ssl to tell him to close the SSL session, so that the client goes back
> >to an unauthenticated session. If he wants to access a proctected page
> >again, he would have a choice of choosing a different certificate.
> Thanks for any ideas, cheers.
>
The simple answer is no there's no easy way to do what you ask.
When a new session is started many browsers cache the old authentication
information and automatically perform client authentication with the previous
credentials without any user intervention. The idea is that it wont keep
annoying the user with certificate requests all the time: but its a problem
when you don't want it to do that.
The button in IE does various internal things which can't even be replicated
using an application. Its possible to clear the SSL state using an API but
that button does some other things as well which can't be done. I've heard
hints that a future API may support this though.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
