tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From i_am <>
Subject RE: Force getting Client Cert from browser
Date Tue, 28 Apr 2009 22:03:45 GMT

Thanks Charles.
Ok getting back to it after a looong break...

I looked at the ssl traces and looks like client is sending server an Alert
(21) Warning (close notify) but,
server (tomcat) seems to ignore it!
Is there a way (config) to force tomcat to renegotiate ?
I even tried to invoke Tomcat action code ACTION_REQ_SSL_CERTIFICATE which,
I thought should force renegotiation but still does not.
I still see the same behavior where Tomcat just uses cached certificate!!!

Versions : Tomcat 5.5.27 with Java 1.6.0_11 on SLES10.

Any help is appreciated...


Caldarale, Charles R wrote:
>> From: atul []
>> Subject: Re: Force getting Client Cert from browser
>> I tried invalidating httpsession but that didnt work.
> I'm a bit surprised at that, but I haven't gone through the code enough to
> figure out why that didn't work.  There's a tangentially related thread
> here:
>> Also, in a deployment where if a machine is shared by
>> multiple users and user1 forgets to close the browser before
>> leaving, the user can log right in as user1.
> A problem in any environment that has shared access points, not unique to
> using certificates for client authentication.
>  - Chuck
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message