Re: How to log out from an SSL V3 session?
On Mon, May 17, 2004, Himanshu Soni wrote: > For some versions of MSIE, I think ClearAuthenticationCache would work. > I have not tested this myself but here is a link to article that talks about > it: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebteam/h > tml/webteam11042002.asp > Isn't that just the normal username+password authenticated URLs? Someone did ask about certificate authentication in the CryptoAPI mailing list and the official answer was that there wasn't currently any way to do it but it might be possible in future. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to log out from an SSL V3 session?
Title: Re: How to log out from an SSL V3 session? For some versions of MSIE, I think ClearAuthenticationCache would work. I have not tested this myself but here is a link to article that talks about it: http://msdn.microsoft.com/library/default.asp?url=""> Thanx Himanshu Soni -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Stephen Henson Sent: Monday, May 17, 2004 9:30 AM To: [EMAIL PROTECTED] Subject: [BULK] - Re: How to log out from an SSL V3 session? On Mon, May 17, 2004, [EMAIL PROTECTED] wrote: > I already posted this question in [EMAIL PROTECTED] , got no answer so > far. What mailing-list is the most suited to deal with SSL issues, mostly > apache-ssl points? httpd.apache.org does adress some of the issues, mod_ssl > mailing list seems not to be very popular, thought openssl was dealing with > only openssl issues, but it seems to be also about mod_ssl... > > Here is my point : > > I have an application protected by client certificate authentication. I > would like to let the user have a user-friendly way to change his > authentication certificate, let's say he chooses to authenticate with > certificate A, then a ssl handshake occurs and an ssl V3 session is set up. > What if the user change his mind and wants to authenticate with certificate > B. > > The working solution is to make him close all his open browser windows, > restart his browser and reconnect to the page, then he will be asked again > to present a certificate and will be able to present certificate B. > > Is there a simpler way for the user to ask him again to authenticate and to > let him choose a different certificate? For a login/password type of > authentication, you always have the choice to click on a Log out link that > kills your session, and give you a chance to authenticate again with a > different login/pwd. Can we imagine with client certificate authentication > a same kind of way to log out and to authenticate with a different user. > > On IE, there is a button in Tools / Internet Options / Content, called Clear > SSL Cache, that does a similar action than a log out button, I haven't been > able to find a similar button on Mozilla-like browsers... Do you know of any > button of his kind on Mozilla ? This would enable logging out from a client > initiative. > >From a server perspective : is it possible to send a signal to apache > >mod_ssl to tell him to close the SSL session, so that the client goes back > >to an unauthenticated session. If he wants to access a proctected page > >again, he would have a choice of choosing a different certificate. > Thanks for any ideas, cheers. > The simple answer is no there's no easy way to do what you ask. When a new session is started many browsers cache the old authentication information and automatically perform client authentication with the previous credentials without any user intervention. The idea is that it wont keep annoying the user with certificate requests all the time: but its a problem when you don't want it to do that. The button in IE does various internal things which can't even be replicated using an application. Its possible to clear the SSL state using an API but that button does some other things as well which can't be done. I've heard hints that a future API may support this though. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to log out from an SSL V3 session?
On Mon, May 17, 2004, [EMAIL PROTECTED] wrote: > I already posted this question in [EMAIL PROTECTED] , got no answer so > far. What mailing-list is the most suited to deal with SSL issues, mostly > apache-ssl points? httpd.apache.org does adress some of the issues, mod_ssl > mailing list seems not to be very popular, thought openssl was dealing with > only openssl issues, but it seems to be also about mod_ssl... > > Here is my point : > > I have an application protected by client certificate authentication. I > would like to let the user have a user-friendly way to change his > authentication certificate, let's say he chooses to authenticate with > certificate A, then a ssl handshake occurs and an ssl V3 session is set up. > What if the user change his mind and wants to authenticate with certificate > B. > > The working solution is to make him close all his open browser windows, > restart his browser and reconnect to the page, then he will be asked again > to present a certificate and will be able to present certificate B. > > Is there a simpler way for the user to ask him again to authenticate and to > let him choose a different certificate? For a login/password type of > authentication, you always have the choice to click on a Log out link that > kills your session, and give you a chance to authenticate again with a > different login/pwd. Can we imagine with client certificate authentication > a same kind of way to log out and to authenticate with a different user. > > On IE, there is a button in Tools / Internet Options / Content, called Clear > SSL Cache, that does a similar action than a log out button, I haven't been > able to find a similar button on Mozilla-like browsers... Do you know of any > button of his kind on Mozilla ? This would enable logging out from a client > initiative. > >From a server perspective : is it possible to send a signal to apache > >mod_ssl to tell him to close the SSL session, so that the client goes back > >to an unauthenticated session. If he wants to access a proctected page > >again, he would have a choice of choosing a different certificate. > Thanks for any ideas, cheers. > The simple answer is no there's no easy way to do what you ask. When a new session is started many browsers cache the old authentication information and automatically perform client authentication with the previous credentials without any user intervention. The idea is that it wont keep annoying the user with certificate requests all the time: but its a problem when you don't want it to do that. The button in IE does various internal things which can't even be replicated using an application. Its possible to clear the SSL state using an API but that button does some other things as well which can't be done. I've heard hints that a future API may support this though. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to log out from an SSL V3 session?
On Mon, May 17, 2004 at 11:23:51AM -0400, Charles B Cranston wrote: > The web does not use continuous connections. Typically for a > web app you do a POST request, passing in data items and getting > back the next in the process, but the SSL connection is > closed at that point, and another, different, connection is > opened the next time you push a button or otherwise interact > with the web app. > Not 100% correct. there is keep-alive too. m. -- martin paljak - konsultant [EMAIL PROTECTED] - email martin.paljak.pri.ee - veeb +372.55.984.685 - telefon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to log out from an SSL V3 session?
The web does not use continuous connections. Typically for a
web app you do a POST request, passing in data items and getting
back the next in the process, but the SSL connection is
closed at that point, and another, different, connection is
opened the next time you push a button or otherwise interact
with the web app.
[EMAIL PROTECTED] wrote:
I have an application protected by client certificate
> authentication. I would like to let the user have a user-friendly
way to change his authentication certificate, let's say he chooses
> to authenticate with certificate A, then a ssl handshake occurs
and an ssl V3 session is set up.
This is where you lose me. I don't think a "session" is set up here,
instead, the window stores whatever parameters are need to reopen a
new connection the next time the user interacts with the web app.
Are you talking about a Java app that *could* keep a TCP/IP connection
open between interactions? Are you talking about something OTHER than
the customary and usual HTTP-mediated web app?
What if the user change his mind and wants to authenticate with
certificate B? The working solution is to make him close all his
> open browser windows, restart his browser and reconnect to the page,
then he will be asked again to present a certificate and will be
> able to present certificate B.
Well, this really has nothing to do with SSL, it's the behavior of
the particular web browser you are talking about, that the act of
quitting and restarting the browser loses that "state" information.
Is there a simpler way for the user to ask him again to authenticate
> and to let him choose a different certificate?
For a login/password type of authentication, you always have the
> choice to click on a Log out link that kills your session, and
> give you a chance to authenticate again with a different login/pwd.
Can we imagine with client certificate authentication a same kind
> of way to log out and to authenticate with a different user.
The idea of one-user one-PC was the standard in the early days of
programming for microcomputers, so the idea of "user" is either not
there at all or kluged in after the fact. The only systems I know
that really have a hard idea of "user" are Linux and MacOSX.
So it's not suprising that the idea of "changing users" was never
implemented.
BTW, the implementation on MacOSX 10.3 ("Panther") is really neat.
I can have multiple persons logged onto my laptop at one time,
then switch between them by giving the password each time one
wants to switch, so it's like switching the same keyboard and
display among multiple running shell processes. Anyway, its
really neat when you want to serially share the laptop between
a set of users without having to log off and on again.
On IE, there is a button in Tools / Internet Options / Content,
> called Clear SSL Cache, that does a similar action than a
> log out button, I haven't been able to find a similar button
> on Mozilla-like browsers... Do you know of any button of this
kind on Mozilla ? This would enable logging out from a client
> initiative.
Again, this reinforces the idea that it is the idiosyncratic
behaviour of the browser that you are asking about, not anything
in either mod_ssl nor the ssl protocol proper.
From a server perspective : is it possible to send a signal
> to apache mod_ssl to tell him to close the SSL session,
so that the client goes back to an unauthenticated session.
> If he wants to access a proctected page again, he would have
> a choice of choosing a different certificate.
Again, the standard model does NOT use a continuously-open TCP/IP
connection. You come in, exchange data for a new form, and then
the connection is closed. So there's no question of any kind of
"closing the session". The session is already closed.
What you'd be looking for is some means of "poisoning" the saved
data in the browser, so it would be rejected the next time it
is used to try to open the connection (and hope that the browser
does the "sane" thing, forgetting its saved information and going
back to square one and trying from first principles).
Also, it's probably worth saying that the whole idea of Open Source
is that you can not only read the source code for Mozilla but
even write your own modifications, so you could MAKE a version of
Mozilla that does what you believe the "right thing" to be.
Although it's also probably worth saying that you need to learn a
bit more about how the web stuff really works "under the hood"
before taking on such a project.
I hope this gets the idea across that the reason you're running
into such unfriendlyness on the web is that you seem to be
laboring under such a large set of misconceptions that nobody
seems to know quite where to start in trying to straighten you out?
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
RE : How to log out from an SSL V3 session?
Could you be a little bit more precise on how i can do such a trick? Can the client send a signal to the server to make it force a new handshake? Nicolas. Message d'origine De: Baber Amin [mailto:[EMAIL PROTECTED] Date: lun. 17/05/2004 17:01 À: Villoutreix, Nicolas; [EMAIL PROTECTED] Cc: Objet: Re: How to log out from an SSL V3 session? You can always force a new handshake, by issuing a "Hello request" from the server, and clearing the cached session on the server side. Thanks -Baber :) >>> [EMAIL PROTECTED] 5/17/2004 8:36:57 AM >>> I already posted this question in [EMAIL PROTECTED] , got no answer so far. What mailing-list is the most suited to deal with SSL issues, mostly apache-ssl points? httpd.apache.org does adress some of the issues, mod_ssl mailing list seems not to be very popular, thought openssl was dealing with only openssl issues, but it seems to be also about mod_ssl... Here is my point : I have an application protected by client certificate authentication. I would like to let the user have a user-friendly way to change his authentication certificate, let's say he chooses to authenticate with certificate A, then a ssl handshake occurs and an ssl V3 session is set up. What if the user change his mind and wants to authenticate with certificate B. The working solution is to make him close all his open browser windows, restart his browser and reconnect to the page, then he will be asked again to present a certificate and will be able to present certificate B. Is there a simpler way for the user to ask him again to authenticate and to let him choose a different certificate? For a login/password type of authentication, you always have the choice to click on a Log out link that kills your session, and give you a chance to authenticate again with a different login/pwd. Can we imagine with client certificate authentication a same kind of way to log out and to authenticate with a different user. On IE, there is a button in Tools / Internet Options / Content, called Clear SSL Cache, that does a similar action than a log out button, I haven't been able to find a similar button on Mozilla-like browsers... Do you know of any button of his kind on Mozilla ? This would enable logging out from a client initiative. From a server perspective : is it possible to send a signal to apache mod_ssl to tell him to close the SSL session, so that the client goes back to an unauthenticated session. If he wants to access a proctected page again, he would have a choice of choosing a different certificate. Thanks for any ideas, cheers. Nicolas. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
