51408 - Stan: NES/SSL should remember that client refused to authenticate

Status: ASSIGNED

Description

[Nelson Bolyard (seldom reads bugmail)]

This was originally bugsplat bug 326792

If you have an SSL server configured with access control that 
requests, but does not require, client authentication, and the 
client actually does authenticate, then the client's cert is kept
in the the cache of client certs used by the server, and the user
is not requested to re-authenticate with each new connection.

But if the user does NOT authenticate, then the user will be asked
to authenticate again with each new request to the server.

We need a way to discern between 
"We haven't asked the user to authenticate before" and
"We asked the client to authenticate, and it refused." 
and make this info available to the app that's using the ssl lib.
The app should make the do/don't decisions based on that info
because it's policy info.

------- Additional Comments From robm  10/01/98 15:08 ------- 

This sounds like a good enhancement to me. When you get to it, let 
me know which NSS calls are affected, and I'll see about using them

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Reassigning to myself

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Change target fix version for all "stan" RFEs to "Future".

Comment 3

[Thomas]

Hey Nelson, need any help with this one?

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Thomas, You're welcome to try to help with this.  
Before you do too much with it, first read bug 135261 to see how the 
problem has changed since this bug was filed.  
Then I suggest you propose a solution here (before doing much coding),
and if the design idea seems good, then proceed with a code contribution.  
An enhancement in this area might be taken in NSS 3.11 or 3.12.  

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

I think this was implemented, and is enabled by the choice of a particular
setting for the "required" flag.  I need to double-check.