On 10/05/2009 05:40 AM, Eddy Nigg:
If the browser has no cert to send,
it sends a "I have no cert" message.
And what exactly do you expect the server should return in that case?
Probably that you can't authenticate without a certificate...it's
about as lame....
It's entirely up to the server to
decide what to do then. Many servers send back an alert and drop the
connection, but SWS will happily complete the handshake anyway and send back
a nice error page.
I would consider this a bug if it completes the handshake. On what
exactly are they agreeing? On what are they exchanging hands exactly? NUL?
To reiterate that the above is a bug, just authenticate once against
such a bugy server. If you got the "Remember this decision" flag on
(which is the default), than you'll be bitten badly...because if the
handshake supposedly succeeds and a valid session is established, you
will have to restart the browser in order to try it again...
So the server sent a nice error page as you say, most browsers including
Firefox and Explorer will have to be completly restarted in order to
authenticate again. Or the servers session is set to a very short time
like 10 seconds, which has other drawback's perhaps.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
