Eddy Nigg wrote:
Trying the different sub domain trick doesn't work on the same server but different host and IP. I assume that's because the server reuses the cached SSL session and initiates a renegotiation upon certificate authentication. Does that make sense so far?
I just tried configuring a similar configuration, and thought more and more whilst doing that it doesn't make sense, that it can't fail in the way you described. And it doesn't (with two ports, but it definitively would be the same with two IP).
But I met whilst configuring it a problem that *could* be the cause of your problem.
Did you configure the "SSLVerifyClient require" option of the second virtual server on the *root* of the second virtual host ? It must not be inside a sub-directory, or you will get a renegotiation error, even if your URL directly points to that directory.
Another point : We'll need to document that renegotiation is the default and systematic behavior of IIS, even when client authentication is required everywhere. You must change a flag with a script to correct that.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
