From: Rob McCool
Newsgroups: netscape.devs-nsapi
Subject: Re: get-client-cert - need a DEFINITIVE explanation
Date: Wed, 27 Nov 1996 15:41:13 -0800
Hi, here is some information I got from someone who knows more about
these specific areas. Hope it helps.
--Rob
> 1) When I insert the following line into my obj.conf file (page
> 240 Unix Programmer's Guide):
>
> PathCheck fn="get-client-cert" dorequest="1"
>
> The server indicates that this function is "Unknown" when I select
> "View Server Settings" from the Admin Server interface. However, this
> functions seems to work because the browser is prompted to present a
> certificate, and the auth-cert name value pair is created in the
> pblocks after the browser has presented a certificate.
>
> Why does the server say this function is Unknown????
It should be fixed for the 2.01 release (and probably in any recent
2.01 beta releases).
> 2) From a socket perspective what is really going on with the
> get-client-cert function? What is the interaction between the server
> and the browser??
The interaction is at the SSL protocol level, below HTTP. The
server sends an SSL message requesting a client certificate if
it does not already have one. The establishment of an SSL session
between the client and server involves creating a shared secret
between them. As long as both the client and the server maintain
the secret in their respective SSL session caches, a previous SSL
session can be "resumed" when a new HTTP/SSL/TCP connection is
established. The server retains the client certificate, if it
obtains one, as part of the SSL session state.
The SSL session lifetime on the server side is controlled by
variables in magnus.conf. SSL 2 session lifetime is controlled
by "SSLSessionTimeout", while SSL 3 session lifetime is controlled
by "SSL3SessionTimeout". The values are expressed in seconds,
with the defaults being 100 and 86400, respectively. These
can be hand-edited into magnus.conf. The SSL 2 setting, if
present, is displayed in "View Server Settings" form. By setting
the lifetime to be shorter, you can cause the server to reprompt
for a client certificate, but you also incur the overhead of
establishing a new SSL session from scratch when this happens.
> 3) I notice that the server does not ask for the certificate on
> subsequent requests. Is this the Keep Alive functionality that I have
> heard about? Where can I find information on the Keep Alive
> functionality? Are there pblock name value pairs that I can check to
> determine if the same SSL session is being used for the subsequent
> requests?
In 2.01, there is a new AuthTrans function, "get-sslid", that will
put a base64 encoding of the SSL session id in the sn->client
pblock as "ssl-id". If "ssl-id" is present when a CGI is invoked,
the value will be passed to the CGI as the HTTPS_SESSIONID environment
variable (not yet for NT CGIs in the recent beta, but get-sslid is
there).
> I am having problems with the get-client-cert function on Solaris 2.0
> and NT. I need some definitive answers and information on the
> get-client-cert function. If possible, is the source code for this
> function available so that I can write my own function?
Looking at the source may be enlightening, but it calls functions
which are not in the public API, so it is not advisable (and in
some cases not possible) to try to rewrite it. We'll try to be
more responsive in providing information about how it works, though.
And we'll certainly try to provide the interfaces you need in
future releases of the server.
--
Rob McCool, robm@netscape.com http://home.netscape.com/people/robm/
Stunt Programmer, Netscape Communications Corporation
It was working ten minutes ago, I swear...
Reproduced by permission of the author.