The
CertificateChallenge
object is used to challenge
a client for their x509 certificate. Notification of a successful
challenge for the certificate is done using a completion task.
The task is executed when the SSL renegotiation completes with
a client certificate.
For HTTPS the SSL renegotiation workflow used to challenge the
client for their X509 certificate is rather bizzare. It starts
with an initial challenge, where an SSL handshake is performed.
This initial handshake typically completes but results in the
TCP connection being closed by the client. Then a second
handshake is performed by the client on a new TCP connection,
this second handshake does not contain the certificate either.
When the handshake is finished on this new connection the client
will resubmit the original HTTP request. Again the server will
have to challenge for the certificate, which should succeed and
result in execution of the task provided.
An important point to note here, is that if the client closes
the TCP connection on the first challenge, the completion task
will not be executed, it will be ignored. Only a successful
completion of a HTTPS renegotiation will result in execution
of the provided task.