ssl client authentication without ssl re-negotiation

On client side I have Apache HTTP client on jdk5u22. On server side I have tomcat on jdk6u27.

With this setup if I try SSL Client authentication (2 way SSL) then it cause "javax.net.ssl.SSLHandshakeException: Insecure renegotiation is not allowed" on the server and handshake fails. It succeeds if I set system properties sun.security.ssl.allowUnsafeRenegotiation=true and sun.security.ssl.allowLegacyHelloMessages=true on server.

As per the link http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html this is coz JRE6u27 has the RFC 57开发者_如何学JAVA46 implementation and JRE5u26 below doesnt have this and so both are incompatible. Unfortunately 5u22 is the latest freely available java 5 version. So I want to know if it is possible to have SSL client authentication without ssl re-negotiation.

Regards, Litty Preeth

As per the redhat site https://access.redhat.com/kb/docs/DOC-20491#Renegotiations_disabled_in_Apache_Tomcat : Tomcat may ask the client to renegotiate in certain configurations using client certificate authentication, for example, configurations where: A client certificate is not required on the initial connection, such as when: 1. The clientAuth attribute of the HTTPS connector using JSSE is set to false. Or The SSLVerifyClient attribute of the HTTPS connector using OpenSSL is set to none. AND 2. A web application specifies the CLIENT-CERT authentication method in the login-config section of the application's web.xml file.

So to avoid re-negotiation in tomcat just make the whole site secure and not just a part of it by setting clientAuth="true" for ssl .

Hope this helps someone.

Regards, Litty