Unsupported function to get client certificate at any time

From: Rob McCool 
Newsgroups: netscape.devs-nsapi,netscape.devs-server-technical
Subject: Re: Forcing server to ask client for certificate?
Date: Tue, 14 Jan 1997 19:35:13 -0800

Under NT, there is currently no way to do this. Under UNIX, you can use 
the undocumented/unsupported call

SSL_InvalidateSession(sn->csd)

in a PathCheck function which executes before get-client-cert. This 
should cause the server to ask for another certificate.


> Is there a known way to force the server to ask the client for
>   certificates, other than on the initial SSL3 handshake?  Seems
>   that get-client-cert with "dorequest=1" does not force this since
>   a client certificate is already available in the SSL3 session.
>   In essence, what I am looking for is a way to re-initiate the
>   SSL3 handshake process (including client certificate presentation)
>   without having to restart the server process.
> 
>   Scenario:
>     - Application running on a web server that uses client certificates
>       for authorization/authentication.
>     - Web application has interface for both application users and
>       application administrators.
>     - client/browser does not have a default certificate selected,
>       but rather has option set to "ask every time".
>     - client/browser has two certificates:
>          - one certificate that it uses to be a user of the web
>            application.
>          - one certificate that it uses to be an administrator of
>            the web application.
>     - client initial connects up as a application user, by presenting
>       the appropriate certificate.
>     - later the client would like to connect up to the application as
>       an application administrator.
> 
>   The last piece of the scenario requires the client to present a
>   different certificate than it originally presented to the web
>   server/application.  This would require the server to ask for it
>   again.
> 
>   Anyone done this sucessfully?  Any clues?
> 
>   The source behind "get-client-cert" might be useful.
> 
> --
> _*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_
> 
> David F. Cerrone                        david.cerrone@crd.ge.com
> Computer Scientist                      (518) 387-5529
> GECRD Information Technology Lab
> 
> _*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_

--
Rob McCool, robm@netscape.com http://home.netscape.com/people/robm/
Stunt Programmer, Netscape Communications Corporation
It was working ten minutes ago, I swear...

Reproduced by permission of the author.