This was originally bugsplat bug 326792 If you have an SSL server configured with access control that requests, but does not require, client authentication, and the client actually does authenticate, then the client's cert is kept in the the cache of client certs used by the server, and the user is not requested to re-authenticate with each new connection. But if the user does NOT authenticate, then the user will be asked to authenticate again with each new request to the server. We need a way to discern between "We haven't asked the user to authenticate before" and "We asked the client to authenticate, and it refused." and make this info available to the app that's using the ssl lib. The app should make the do/don't decisions based on that info because it's policy info. ------- Additional Comments From robm 10/01/98 15:08 ------- This sounds like a good enhancement to me. When you get to it, let me know which NSS calls are affected, and I'll see about using them
Reassigning to myself
Change target fix version for all "stan" RFEs to "Future".
Hey Nelson, need any help with this one?
Thomas, You're welcome to try to help with this. Before you do too much with it, first read bug 135261 to see how the problem has changed since this bug was filed. Then I suggest you propose a solution here (before doing much coding), and if the design idea seems good, then proceed with a code contribution. An enhancement in this area might be taken in NSS 3.11 or 3.12.
I think this was implemented, and is enabled by the choice of a particular setting for the "required" flag. I need to double-check.