Thanks for the very quick response! Out of curiosity is this ensured by some sort of caching in the Tomcat server after the TLS handshake? Or is it expected that the client would send the certificate with each post handshake request. I ask as I'm seeing intermittent requests that do not have a "javax.servlet.request.X509Certificate" attribute value populated. This also differs by browser (e.g. more frequently on MacOS Chrome 75.0.3770.100, not on MacOS Safari 12.1.1).
On 7/12/19, 2:00 AM, "Mark Thomas" <ma...@apache.org> wrote: On 12/07/2019 08:22, Martynas Jusevičius wrote: > In my experience with 8.x -- on all requests. The above is correct for JSSE based TLS connections. It also applies to most OpenSSL based connections. There is one edge case that can cause problems. If: - OpenSSL based TLS connections are used; - TLS session tickets are enabled; and - the session has been resumed via a ticket; then the client certificate will be available but the full client certificate chain will not. The full chain will only be available in the initial connection. Mark > > On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon > <jon.d.wilm...@nordstrom.com> wrote: >> >> I was hoping to get some clarification on when to expect client x509 certs in http requests where the Tomcat server (v9.x) has been configured to “want” or “need” client auth. https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf says: >> >> “If there is an SSL certificate associated with the request, it must be exposed by the servlet container to the servlet programmer as an array of objects of type java.security.cert.X509Certificate and accessible via a ServletRequest attribute of javax.servlet.request.X509Certificate.” >> >> Is this only for the request that initiated the TLS handshake? Or does this mean it will be present on all requests (i.e. requests on a keep-alive connection after the initial handshake) while the TLS connection is still open? >> >> Thanks, >> Jon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org