This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have a Apache server that is configured to authenticate clients for a certain URL while the other clients are not authenticated.
Now when a client is trying to get a file from /myServlet/FileServlet/ location I expect the server to send a request to obtain the client certificate, while if the client is attempting to get a file from other locations no client authentication should be performed.
The behavior I am seeing is when the client comes in to the secure location with a HTTPS GET request, SSL handshake occurs without the server requesting for certificate, then I see that the HTTP GET request coming through to HTTP layer and then the server initiates another SSL handshake(re-negotiation) during which the server is requesting for the client certificate. My client is NOT a browser, it's a HTTPS client in C developed by someone else to support few basic HTTPS commands. Now my question is, is this the standard behavior or should the server be requesting the certificate in the first SSL handshake process?? If this is not the standard way of handling then is their something in the apache configuration that I am missing. Can someone please help me out. TIA