Re: [TLS] [Fwd: WWW-Authenticate challenge for client-certificates]

Joe Orton <> Thu, 21 January 2010 16:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C056E3A6A38 for <>; Thu, 21 Jan 2010 08:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lRtrOog-Pf1u for <>; Thu, 21 Jan 2010 08:58:52 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 169793A6818 for <>; Thu, 21 Jan 2010 08:58:52 -0800 (PST)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id o0LGwlRi017463 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 21 Jan 2010 11:58:47 -0500
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id o0LGwjQ5019650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 21 Jan 2010 11:58:46 -0500
Received: from jorton by with local (Exim 4.69) (envelope-from <>) id 1NY0Mm-0000lX-H3; Thu, 21 Jan 2010 16:58:44 +0000
Date: Thu, 21 Jan 2010 16:58:44 +0000
From: Joe Orton <>
To: Bruno Harbulot <>
Message-ID: <>
Mail-Followup-To: Bruno Harbulot <>,
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2009-08-17)
Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA)
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [TLS] [Fwd: WWW-Authenticate challenge for client-certificates]
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2010 16:58:52 -0000

On Tue, Jan 19, 2010 at 02:40:54PM +0000, Bruno Harbulot wrote:
> This leads to a couple of problems:
> - The HTTP application is unable to inform the client it would rather
> have another certificate than the one that is presented. Whether-or-not
> to accept the certificate is done by the trust management mechanism of
> the TLS layer, and it is difficult for the HTTP application to deal
> with. Often, once the certificate has been negotiated, browsers usually
> keep the TLS connection open and changing certificate can often only be
> done by closing the browser or letting the connection time out.
> - If a certificate is mandatory, the 'require' mode leads to a handshake
> error code on the client side, resulting in an abrupt error message,
> which is confusing for most users.

I don't see how either of these problems are a consequence of protocol 
design, merely server implementation or configuration.

It is simple to configure mod_ssl to avoid the second problem - you make 
client certificates requested but optional ("SSLVerifyClient optional"), 
and then use an HTTP authorization-level check to present an HTTP 403 
error if in fact the TLS layer did not receive a client cert (using 
"SSLRequire").  The 403 error page can be customized as usual.

You could do something similar for the first problem though the 
configuration might be a little awkward.

Regards, Joe