|
| Hi,
I was wondering if, when configuring Apache for client-authenticated SSL
(i.e., using client certs), there is a way to configure Apache to force
a re-authentication of each HTTPS *request*? Note, when I say "each
HTTPS request" here, I mean each individual HTTPS request, not each SSL
connection.
Some background: We have an Apache webserver that is configured for
client-authenticated SSL ("SSLVerifyClient optional"). The Apache
webserver is mainly a proxy for a WebLogic app server.
In our case, the client workstations have smart card readers, and client
certs are stored on the smart cards.
We are encountering a problem where, when users access the Apache
server, they are getting re-prompted to enter their smart card PIN
multiple (many) times, even just to access the initial webpage.
I'm aware that there are some settings in the smart card "middleware"
that would cache either the users' PIN or their certificates. These
settings are currently set to not cache, and our management doesn't want
to change these settings, so I've been looking into what things could be
causing this behavior, and someone on another newgroup mentioned that it
may be possible that some webservers have a setting that would force a
re-"SSL"-authentication for each HTTPS request, but I'm not aware of a
setting like this.
So, I'm wondering if there is some way to configure Apache+SSL so that
this (re-authenticating) would occur with each individual HTTPS request?
Thanks in advance,
Jim
|
|