1

I'm using IBM IHS Http-Server, with an SSL-enabled VirtualHost.

My problem is, that the server is requesting a client-certificate randomly after the client-requests, however it should request only once and cache the session.

If I turn KeepAlive off, the client certificate is requested after each and every client request (which would be of course the normal behaviour), however because SSLCacheEnable is turned on, I would await that the connection is cached and the client certificate is requested only once after the first request.

Do you have an idea, what could cause this problem?

(UPDATE: the client is in my case not a web-browser, but a Java Fat-client application. In the client log I turned on the SSL trace, and I see "ServerHelloDone" after each request, which is not desired.)

clementino
  • 111
  • 3

1 Answers1

1

HTTP Keep Alive only means that multiple HTTP requests can be sent over the same TCP connection but not that all requests will or even must sent over a single connection. First, unless HTTP/2 is used the browser usually opens multiple connections to the same site even if keep alive is used. Then, both server and browser can close the connection after each response. And even setting a large keep alive timeout at the server has no effect on when the client will close the connection.

Steffen Ullrich
  • 12,227
  • 24
  • 37
  • Thanks for the clarification. Maybe I was not clear in my question, but the main problem is the constant client-certificate requests. I was just trying to explain this with the keep-alive, but seems like the problem is somewhere else. Maybe you have an idea, where to search for the root cause? Btw. the client is not a browser, but a java fat-client application, I'll update my question with this info, – clementino Nov 15 '18 at 11:14
  • @clementino: A request for a client certificate is done with each new TLS session. A new TLS session is done for each new TCP connection unless session resumption is supported and enabled by both client and server. For sever this is `SSLCacheEnable` which you have, but maybe your client does not attempt to resume the session. – Steffen Ullrich Nov 15 '18 at 11:15
  • I definitely have `SSLCacheEnable` on server-side. On the client-side I will need to do some analysis in the code if the session is reused or not. – clementino Nov 15 '18 at 11:24