My web users are able to optionally use a Smart Card Certificate to identify themself via Firefox to my web server running Apache httpd 2.4.
For this I use SSLVerifyClient optional plus for speed SSLSessionCache and SSLSessionCacheTimeout
Sometimes the user forgot to insert his Smart Card. Then he successfully creates a TLS-connection and see some content but is not logged in. If he now enters his Smart Card and reloads the page, the browser is not trying to send the certificate from the Smart Card. (I think because there is no need for it because there is a valid SSL-session and so no renegotiation is started.) If the user waits until the time of SSLSessionCacheTimeout has expired the browser sends the certificate....
So the question: How do I force the browser/server to renegotiation the SSL session? Is there a trick?
A trick with a second server works: If I put a link on my server "Click here for a new login attempt" which transfers the user to a different server (without SSLSessionCache) which requires a certificate and that server sets a cookie and redirect back to my original server, I am able to use that cookie to see that this is a logged in user. But I am hoping there is a better way...
Any ideas?
