如何在网络浏览器上触发SSL重新握手? [英] How to trigger SSL rehandshake on a web browser?
问题描述
我有一个配置为请求SSL客户端证书的Web服务器。如果客户端具有可接受的证书,他们将看到实际的内容,但如果没有,我将退回SSL,而无需客户端身份验证,并显示一个错误页面,通知他们连接安全令牌并重试。
I have a web server that is configured to request a client certificate for SSL. If the client has an acceptable certificate they will see the actual content, but in case do not, I fall back to SSL without client authentication and show an error page that informs them to connect their security token and try again.
问题是,即使他们连接了令牌,浏览器也不会重新协商新的SSL会话,因为它认为当前会话很好。因此,我需要一种使当前SSL会话无效的方法。
The problem is, even when they connect their token, the browser will not renegotiate a new SSL session because it thinks that the current session is fine. So I need a way to invalidate the current SSL session.
我尝试在服务器上执行此操作,该服务器是Tomcat 6:
I tried to do it on the server, which is a Tomcat 6:
response.setHeader("Connection", "close"); // open new socket next time
response.flushBuffer();
Object sslSessionMgr = request.getAttribute("javax.servlet.request.ssl_session_mgr");
if (sslSessionMgr != null) {
try {
Method invalidateSession =
Class.forName("org.apache.tomcat.util.net.SSLSessionManager").getMethod("invalidateSession");
invalidateSession.setAccessible(true);
invalidateSession.invoke(sslSessionMgr);
} catch (Exception e) {/*ignore*/}
}
但是事实证明, sslSessionMgr 始终为 null ,我想知道我在这里做错什么了。
But it turns out that sslSessionMgr is always null and I wonder what am I doing wrong here.
在客户端上当然没有通用的解决方案,但幸运的是 window.crypto.logout()为FireFox起到了作用。我在某处读到IE的等效项是 document.execCommand( ClearAuthenticationCache)或某些ActiveX控件?无论如何,我似乎都无法在IE或Chrome上做到这一点。
On the client of course there is not universal solution, but fortunately window.crypto.logout() does the trick for FireFox. I read somewhere that the equivalent for IE would be document.execCommand("ClearAuthenticationCache") or maybe some ActiveX control? In any case I cannot seem to do it for IE or Chrome.
那我该怎么办?我可以修复其中任何一种解决方案,还是有其他解决方案?
So what can I do here? Can I fix any of these solutions, or is there any other one?
推荐答案
不幸的是,Chrome尚不支持此解决方案,如此问题所述。
Unfortunately, this is not supported in Chrome yet, as discussed in this issue.
据我所知, javax.servlet.request.ssl_session_mgr 技巧仅可用于Apache Tomcat 7。
As far as I know, the javax.servlet.request.ssl_session_mgr trick is only available from Apache Tomcat 7.
这篇关于如何在网络浏览器上触发SSL重新握手?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
