I have a web server that is configured to request a client certificate for SSL. If the client has an acceptable certificate they will see the actual content, but in case do not, I fall back to SSL without client authentication and show an error page that informs them to connect their security token and try again.
The problem is, even when they connect their token, the browser will not renegotiate a new SSL session because it thinks that the current session is fine. So I need a way to invalidate the current SSL session.
I tried to do it on the server, which is a Tomcat 6:
response.setHeader("Connection", "close"); // open new socket next time
response.flushBuffer();
Object sslSessionMgr = request.getAttribute("javax.servlet.request.ssl_session_mgr");
if (sslSessionMgr != null) {
try {
Method invalidateSession =
Class.forName("org.apache.tomcat.util.net.SSLSessionManager").getMethod("invalidateSession");
invalidateSession.setAccessible(true);
invalidateSession.invoke(sslSessionMgr);
} catch (Exception e) {/*ignore*/}
}
But it turns out that sslSessionMgr is always null and I wonder what am I doing wrong here.
On the client of course there is not universal solution, but fortunately window.crypto.logout() does the trick for FireFox. I read somewhere that the equivalent for IE would be document.execCommand("ClearAuthenticationCache") or maybe some ActiveX control? In any case I cannot seem to do it for IE or Chrome.
So what can I do here? Can I fix any of these solutions, or is there any other one?
Unfortunately, this is not supported in Chrome yet, as discussed in this issue.
As far as I know, the javax.servlet.request.ssl_session_mgr trick is only available from Apache Tomcat 7.
来源:https://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser