[Mod_nss-list] hello, and problem 1
Jennings, Jared L CTR USAF AFMC 46 SK/CCI
jared.jennings.ctr at eglin.af.mil
Mon May 9 21:54:28 UTC 2011
> I'm not any surer whether a certificate is presented or not
> than before writing this email
After some funny stares at the code, I've realized that the
sslconn->client_cert is set only in one place: the nss_AuthCertificate
callback, used when a client certificate needs to be authenticated. It's
set to the SSL_PeerCertificate of the socket.
I previously added a log message in nss_hook_ReadReq, warning when
sslconn->client_cert is null. When I checked there for whether
SSL_PeerCertificate(ssl) exists, I found that it does, as far as I've
tested. When I set sslconn->client_cert to that value, now I have an
sslconn->client_cert, and the FakeBasicAuth proceeds properly.
Is there some legitimate means by which a recently seen client
certificate is not re-authenticated? If there is no such means,
something screwy is going on, because the AuthCertificate callback is
not being called in subsequent connections with the same certificate. If
there is such a means, it would appear that all that's needed is for
somewhere else in the code besides the AuthCertificate callback to set
the client_cert.
More information about the Mod_nss-list
mailing list