[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] Restart SSL session to force client side authentication?



Hi All,
I am using iSaSiLk to implement an SSL proxy server to talk to standard web browsers (IE, Netscape).
The clients should be able to connect to the proxy without client-authentication being required,
but I want the server to be able to restart the ssl connection at at a later stage to force client side authentication.

The relevant server code is something like this;

// first create the server socket without client-side authentication
SSLServerSocket serverSock = new SSLServerSocket();
SSLServerSocket.setNeedClientAuth(false);

// now get a connection from a client
Socket clientSocket = SSLServerSocket.accept();

// ...do some processing...
// ...later, decide we now want client authentication on that client socket

// Invalidate the current session
clientSocket.getSession().invalidate();
// Set client authentication on the socket:
clientSocket.setNeedClientAuth(true);
//Force the client to re-authenticate:
clientSocket.startHandshake()

However, this does not seem to be working as well as expected.
Firstly, the invalidate() call does not seem to take effect immediately-
the client is still able to communicate on the old ssl session (e.g reload
a page a couple of times) before being asked to present the client cert.
Sometimes, the client is not asked for the cert at all,and can continue using the
old session.
Also, sometimes, if I restart the browser, and (presumably) create a completely
new ssl session to the server, the client is asked to present a cert, as if
setNeedClientAuth(true) had been called on the serverSocket!

Has anybody any experience of this type of usage of the api?
Am I using the api incorrectly, or can there be problems with the
way in which the browsers handle restarting connections in this way?
(I have tested with both Netscape and IE and get largely similar results)

Any help greatly appreciated.

Paul Igoe