On 13. 3. 2010 0:37, John R Pierce wrote: > we have a client-server application pair (ok, the server side is > tomcat), the client is using an Aladdin eToken w/ openssl and > engine_pkcs11 and aladdin's driver. thats all fine and working now. > the client application has long running persistence, eg, once its > running, it stays up for days/weeks as its a dedicated system sort of > thing. the client makes periodic queries to the tomcat server, > server responsds, yada yada yada... > our security auditors yanked the token out, and the client continues > to work, like its cached the SSL authentication and continues to reuse > the same session. > > so, what exactly should we be doing from our xmlrpc-over-ssl client to > ensure each of our macro "transactions" re-authenticates from scratch? > >
Hi, you'll probably need to listen for token removal event and destroy this ssl session after that. It is working for us in this way. Session should be renegotiated after token is inserted again. Regards, Peter ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
