On 24/02/2010 15:03, Christopher Schultz wrote:
So, setting<auth-method> to CLIENT-CERT triggers an SSL renegotiation. What if the<Connector> is set to clientAuth="want" or clientAuth="true"? Will the initial SSL negotiation carry the client certificate and therefore avoid CVE-2009-355?
Yes. But test carefully as there is a wide variety in client behaviour. I've heard reports of some mobile clients renegotiating every few requests. A real case of YMMV.
Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org