On 2/19/10, Christopher Schultz <ch...@christopherschultz.net> wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-CERT:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
in web.xml triggers the renegotiation and the client cert is requested
from the client. As Mark pointed out, this exposes the TLS bug
CVE-2009-355 so be warned!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
