-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote: > On 2/19/10, Christopher Schultz <[email protected]> wrote: >> So, with clientAuth="false", how do you get a client certificate to use >> for authentication? Or, does the presence of the CLIENT-CERT in web.xml >> trigger an SSL-renegotiation where the client cert /is/ requested from >> the client. > > The presence of CLIENT-CERT: > > <login-config> > <auth-method>CLIENT-CERT</auth-method> > </login-config> > > in web.xml triggers the renegotiation and the client cert is requested > from the client. As Mark pointed out, this exposes the TLS bug > CVE-2009-355 so be warned! So, setting <auth-method> to CLIENT-CERT triggers an SSL renegotiation. What if the <Connector> is set to clientAuth="want" or clientAuth="true"? Will the initial SSL negotiation carry the client certificate and therefore avoid CVE-2009-355? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFP6gACgkQ9CaO5/Lv0PAs6gCZAXQ5c1cbjbw8U48p527U08h9 wukAmwZ40uKqBalI+W21EvMrloxLM3Hx =bTUA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
