Re: TLS client cert clarification

Fri, 12 Jul 2019 11:13:21 -0700 

Thanks for the very quick response!  Out of curiosity is this ensured by some 
sort of caching in the Tomcat server after the TLS handshake?  Or is it 
expected that the client would send the certificate with each post handshake 
request.  I ask as I'm seeing intermittent requests that do not have a 
"javax.servlet.request.X509Certificate" attribute value populated.  This also 
differs by browser (e.g. more frequently on MacOS Chrome 75.0.3770.100, not on 
MacOS Safari 12.1.1).

On 7/12/19, 2:00 AM, "Mark Thomas" <ma...@apache.org> wrote:

    On 12/07/2019 08:22, Martynas Jusevičius wrote:
    > In my experience with 8.x -- on all requests.
    
    The above is correct for JSSE based TLS connections. It also applies to
    most OpenSSL based connections.
    
    There is one edge case that can cause problems. If:
    
    - OpenSSL based TLS connections are used;
    - TLS session tickets are enabled; and
    - the session has been resumed via a ticket; then
    
    the client certificate will be available but the full client certificate
    chain will not. The full chain will only be available in the initial
    connection.
    
    Mark
    
    > 
    > On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon
    > <jon.d.wilm...@nordstrom.com> wrote:
    >>
    >> I was hoping to get some clarification on when to expect client x509 
certs in http requests where the Tomcat server (v9.x) has been configured to 
“want” or “need” client auth.  
https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
 says:
    >>
    >> “If there is an SSL certificate associated with the request, it must be 
exposed by the servlet container to the servlet programmer as an array of 
objects of type java.security.cert.X509Certificate and accessible via a 
ServletRequest attribute of javax.servlet.request.X509Certificate.”
    >>
    >> Is this only for the request that initiated the TLS handshake?  Or does 
this mean it will be present on all requests (i.e. requests on a keep-alive 
connection after the initial handshake) while the TLS connection is still open?
    >>
    >> Thanks,
    >> Jon
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
    > For additional commands, e-mail: users-h...@tomcat.apache.org
    > 
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
    For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to