0

I'm using client certificates in SSL sessions to authenticate users, but I'm having a bit of a problem with cached sessions. (I have configured the web server to accept—not require—client certificates.)

I fixed this using this example: Clear SSL client certificate state from JavaScript

var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function () {
    // put any actions to carry out upon logout here
};
xmlHttp.open( "GET", "/ssl_logout/", true );
xmlHttp.send();

and with an Apache24 config like this, mind the SSLVerifyDepth actually blocking every TLS request and forcing a renegotiation:

<Directory "/usr/local/users/local/xxxxxx/yyyy/htdocs/ssl_logout">
    SSLVerifyClient require
    SSLVerifyDepth  0
</Directory>

We are however on an II7 production environment and I would like to know how to do the same trick on IIS7: refusing all client certificates on a folder or file, and so dropping SSL and force renegotiation.

Or another (JavaScript) solution to forcefully reload my client certificate / SSL connection.

AloneTogether
  • 25,814
  • 5
  • 20
  • 39
Jan Catrysse
  • 11
  • 3
  • This link should help you: [https://stackoverflow.com/a/49229844/13336642](https://stackoverflow.com/a/49229844/13336642). – samwu Oct 25 '21 at 09:03
  • Thank you @samwu but I don't find how to deactivate TLS only on a specific folder. Did I miss something there? – Jan Catrysse Nov 02 '21 at 08:22
  • It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com. – samwu Nov 03 '21 at 03:35

0 Answers0