The relevant server code is something like this;
// first create the server socket without client-side authentication
SSLServerSocket serverSock = new SSLServerSocket();
// now get a connection from a client
Socket clientSocket = SSLServerSocket.accept();
// ...do some processing...
// ...later, decide we now want client authentication on that client socket
// Invalidate the current session
// Set client authentication on the socket:
//Force the client to re-authenticate:
However, this does not seem to be working as well as expected.
Firstly, the invalidate() call does not seem to take effect immediately-
the client is still able to communicate on the old ssl session (e.g reload
a page a couple of times) before being asked to present the client cert.
Sometimes, the client is not asked for the cert at all,and can continue using the
Also, sometimes, if I restart the browser, and (presumably) create a completely
new ssl session to the server, the client is asked to present a cert, as if
setNeedClientAuth(true) had been called on the serverSocket!
Has anybody any experience of this type of usage of the api?
Am I using the api incorrectly, or can there be problems with the
way in which the browsers handle restarting connections in this way?
(I have tested with both Netscape and IE and get largely similar results)
Any help greatly appreciated.