Open Bug 51408 Opened 25 years ago Updated 3 years ago

Stan: NES/SSL should remember that client refused to authenticate

Categories

(NSS :: Libraries, enhancement, P3)

enhancement

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: nelson, Unassigned)

Details

This was originally bugsplat bug 326792 If you have an SSL server configured with access control that requests, but does not require, client authentication, and the client actually does authenticate, then the client's cert is kept in the the cache of client certs used by the server, and the user is not requested to re-authenticate with each new connection. But if the user does NOT authenticate, then the user will be asked to authenticate again with each new request to the server. We need a way to discern between "We haven't asked the user to authenticate before" and "We asked the client to authenticate, and it refused." and make this info available to the app that's using the ssl lib. The app should make the do/don't decisions based on that info because it's policy info. ------- Additional Comments From robm 10/01/98 15:08 ------- This sounds like a good enhancement to me. When you get to it, let me know which NSS calls are affected, and I'll see about using them
Reassigning to myself
Assignee: wtc → nelsonb
Status: NEW → ASSIGNED
Change target fix version for all "stan" RFEs to "Future".
Target Milestone: --- → Future
Hey Nelson, need any help with this one?
Thomas, You're welcome to try to help with this. Before you do too much with it, first read bug 135261 to see how the problem has changed since this bug was filed. Then I suggest you propose a solution here (before doing much coding), and if the design idea seems good, then proceed with a code contribution. An enhancement in this area might be taken in NSS 3.11 or 3.12.
I think this was implemented, and is enabled by the choice of a particular setting for the "required" flag. I need to double-check.
Target Milestone: Future → ---
QA Contact: wtchang → libraries
Assignee: nelson → nobody

Any update? The current behavior is very annoying. I'm asked about a certificate every time I open https://tracker.debian.org

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.