On 2/19/10, Christopher Schultz <[email protected]> wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-CERT:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
in web.xml triggers the renegotiation and the client cert is requested
from the client. As Mark pointed out, this exposes the TLS bug
CVE-2009-355 so be warned!
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
