Dealing with SSL client cert auth and long-running connections

In short, you cannot know the status of a client certificate without first asking for it, which generally requires an SSL negotiation/re-negotiation. Keep in mind though that TCP, SSL, and HTTP "sessions" are different. You can maintain HTTP sessions over many SSL sessions, and you can maintain SSL sessions over many TCP sessions. Further, if your application is browser-based, it's likely that the SSL re-negotiation and client certificate sending would be transparent to the user.

 

 

One other thing to consider, if you still require not renegotiating SSL, is to implement a session table entry per user (perhaps based on the SSL session ID) that holds information about the client's certificate. When the client first negotiates, store the client certificate's validity date via X509::not_valid_after in the table. On ~every HTTP request check this entry and terminate/re-negotiate the session if the user exceeds a predefined session limit or the certificate end date (whichever comes first).