0

My web application authenticates users via preauthentication (every request includes the client-side cert that the server uses to authenticate the request).

Setup: Apache web server, Tomcat application server, mod_jk connector

  1. Client hits Apache server and selects a certificate
  2. SSL handshake begins where client's browser verifies server's certificate, and server ensures that client's passed-in certificate is valid
  3. Once SSL is established, server passes SSL_CLIENT_CERT to Tomcat for authentication

EDIT:

Addtionally, the user's client certificate is checked against a Certificate Revocation List (CRL).

Is the additional time required to download the CRL or CRL Delta and then check that the client's certificate hasn't been revoked likely time-consuming?

4

1 回答 1

1

当然,但它并不像你想象的那样经常发生。服务器几乎肯定会缓存 CRL,并且不会在某个时间间隔(例如一个小时)内重新获取它,并且由于 (1) HTTP keepalive 和 (2) SSL,您认为随每个请求发送客户端证书的前提也不正确会话缓存,它会在服务器配置的任何时间段内重复使用相同的 SSL 会话,可能是 10-15 分钟,也可能是一个小时,甚至可能是一天。

于 2013-06-23T00:32:31.230 回答