synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 09:30:45 GMT
On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
> > Well, if not through different stores, how can we let the KeyManager know
> > what cert to use for this particular endpoint?
> 
> If I remember well, this is how it works: during the handshake, the
> server presents a list of trusted CAs to the client. The client than
> selects the certificate that is signed (directly or indirectly) by
> that CA and uses that to authenticate. I'm pretty sure this is what
> happens when you create a java.net.URL with the https scheme and call
> openConnection on it. Since behind the scene this uses an SSLContext,
> chances are high that it also works with our HTTPS transport (or that
> it would be pretty easy to make it work).
> 
> Of course this only satisfies the requirement if the two endpoints use
> different CAs, which should be the usual case.
> 
> Andreas
> 

Hi Andreas

I may be wrong about it but I believe the client can present whatever client
cert it pleases. That cert does not _have_ to be signed by one of the trusted
CA certs sent to client by the server. For instance, common browsers simply pop
up a UI dialog and let you pick any client certificate available in the
certificate store, if the server requests client authentication in the course
of SSL context negotiation. 

Oleg



> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message