On 12/07/2019 19:07, Wilmoth, Jon wrote: > Thanks for the very quick response! Out of curiosity is this ensured by some > sort of caching in the Tomcat server after the TLS handshake? Or is it > expected that the client would send the certificate with each post handshake > request. I ask as I'm seeing intermittent requests that do not have a > "javax.servlet.request.X509Certificate" attribute value populated. This also > differs by browser (e.g. more frequently on MacOS Chrome 75.0.3770.100, not > on MacOS Safari 12.1.1).
It depends. Without session tickets, the client has to provide the cert and the full chain in the handshake. With OpenSSL session tickets the server caches the client cert but not the full chain. The above is only as accurate at the last time I dug into this. There are lots of variables, JRE version, JSSE vs OpenSSL, OpenSSL version, client etc. and some may have changed since my last test. Mark > On 7/12/19, 2:00 AM, "Mark Thomas" <ma...@apache.org> wrote: > > On 12/07/2019 08:22, Martynas Jusevičius wrote: > > In my experience with 8.x -- on all requests. > > The above is correct for JSSE based TLS connections. It also applies to > most OpenSSL based connections. > > There is one edge case that can cause problems. If: > > - OpenSSL based TLS connections are used; > - TLS session tickets are enabled; and > - the session has been resumed via a ticket; then > > the client certificate will be available but the full client certificate > chain will not. The full chain will only be available in the initial > connection. > > Mark > > > > > On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon > > <jon.d.wilm...@nordstrom.com> wrote: > >> > >> I was hoping to get some clarification on when to expect client x509 > certs in http requests where the Tomcat server (v9.x) has been configured to > “want” or “need” client auth. > https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf > says: > >> > >> “If there is an SSL certificate associated with the request, it must > be exposed by the servlet container to the servlet programmer as an array of > objects of type java.security.cert.X509Certificate and accessible via a > ServletRequest attribute of javax.servlet.request.X509Certificate.” > >> > >> Is this only for the request that initiated the TLS handshake? Or > does this mean it will be present on all requests (i.e. requests on a > keep-alive connection after the initial handshake) while the TLS connection > is still open? > >> > >> Thanks, > >> Jon > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
