synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 09:30:45 GMT
On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
> > Well, if not through different stores, how can we let the KeyManager know
> > what cert to use for this particular endpoint?
> If I remember well, this is how it works: during the handshake, the
> server presents a list of trusted CAs to the client. The client than
> selects the certificate that is signed (directly or indirectly) by
> that CA and uses that to authenticate. I'm pretty sure this is what
> happens when you create a with the https scheme and call
> openConnection on it. Since behind the scene this uses an SSLContext,
> chances are high that it also works with our HTTPS transport (or that
> it would be pretty easy to make it work).
> Of course this only satisfies the requirement if the two endpoints use
> different CAs, which should be the usual case.
> Andreas

Hi Andreas

I may be wrong about it but I believe the client can present whatever client
cert it pleases. That cert does not _have_ to be signed by one of the trusted
CA certs sent to client by the server. For instance, common browsers simply pop
up a UI dialog and let you pick any client certificate available in the
certificate store, if the server requests client authentication in the course
of SSL context negotiation. 


> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message