tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [EXTERNAL] Using CLIENT-CERT
Date Wed, 11 Apr 2018 13:16:27 GMT
Mark and Amit,

On 4/10/18 2:21 AM, Mark Thomas wrote:
> On 9 April 2018 23:29:43 BST, Amit Pande <Amit.Pande@veritas.com> wrote:
>> Some more debugging here and I got some stuff working here.
>>
>> Only one question:
>>
>> It is not really clear from the documentation of "clientAuth"
>>
>> "Set to true if you want the SSL stack to require a valid certificate
>> chain from the client before accepting a connection. Set to want if you
>> want the SSL stack to request a client Certificate, but not fail if one
>> isn't presented. A false value (which is the default) will not require
>> a certificate chain unless the client requests a resource protected by
>> a security constraint that uses CLIENT-CERT authentication. See the SSL
>> HowTo for an example. That SSL HowTo also contains tips on using
>> per-user or per-session certificate-based clientAuth."
>>
>> So, if I am using a clientAuth="false" and relying on "CLIENT-CERT"
>> configuration, does that mean browsers won't prompt users to supply the
>> certificate when a protected resource is accessed?
> 
> In that scenario the browser will prompt the user for a certificate if everything is
correctly configured.
> 
> However, it is possible that the browser will determine that it has no matching certificates
and therefore decide not to display the certificate prompt.

Also, sometimes browsers will "remember" your choice from a prior
interaction during the same browser session. So for example if you have
clientAuth="want" and you press "No/Cancel/[escape]/[close window]" the
browser may "remember" that you don't want to present a certificate.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message