Anders Rundgren wrote: > on the URL http://demo.webpki.org/mozkeygen > you can get yourself a certificate by clicking a single button. > > What is a bit hard to understand is why the test-service at > https://www.apache-ssl.org/cgi/cert-export > often (but not always!) asks the user multiple times to OK the > certificate selection dialog.
That behavior means that the server has not implemented, or has disabled, SSL/TLS session caching. Consequently, it is requesting client authentication on every connection, rather than using cached authentication credentials for a period of time after the first successful client authentication. I suspect that the demo server has been intentionally configured to not cache client auth credentials, to facilitate testing of client auth requests. But, IMO, a typical and reasonable server would be configured to use session caching, for several reasons, not the least of which is the tremendous savings in server handshake computational overhead that is saved by using a cache. That savings translates directly to a higher transaction rate. > In IE I get a consistent one invocation with similar certificates. As I recall, IE has logic that remembers that you've authenticated to a server, and if that server re-requests client authentication, IE silently does that authentication without asking the user a second time. That might be a useful RFE for PSM in Mozilla. Mozilla clients can be configured to always silently authenticate, but that is not (any longer) the default setting. > I note a difference in TLS parameters for IE and FF. > > Is this maybe related to some negotiation issues? Is the server > wrongly configured or is FireFox handling this incorrectly? I > haven't touched any settings in FireFox. > > Anders -- 00000000011111111112222222222333333333344444444445555555555666666666677777777778 12345678901234567890123456789012345678901234567890123456789012345678901234567890 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
