synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hiranya Jayathilaka <hiranya...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 10:52:40 GMT
On Tue, Jul 21, 2009 at 3:41 PM, Paul Fremantle <pzfreo@gmail.com> wrote:

> In terms of production use, I think that the Synapse user would like
> to be able to configure exactly which certificate should be used for a
> specific endpoint.


This is supported by the SSL profile concept I described at the begining of
this discussion. The only draw back with that approach is we have to have
multiple keystores and IOReactors. We can probably get rid of multiple
IOReactors by implementing a custom IOEventDispatch as Indiak and Oleg has
mentioned.

Thanks,
Hiranya


> I'm not sure I agree that different endpoints are
> likely to have different CAs. That is true in the self-signed case,
> but in the case of Verisign it might not be. Another use case is the
> PEPPOL infrastructure (http://peppol.eu) , where there will be many
> endpoints sharing a common CA.
>
> Paul
>
>
> On Tue, Jul 21, 2009 at 10:55 AM, Andreas
> Veithen<andreas.veithen@gmail.com> wrote:
> > On Tue, Jul 21, 2009 at 11:30, Oleg Kalnichevski<olegk@apache.org>
> wrote:
> >> On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
> >>> > Well, if not through different stores, how can we let the KeyManager
> know
> >>> > what cert to use for this particular endpoint?
> >>>
> >>> If I remember well, this is how it works: during the handshake, the
> >>> server presents a list of trusted CAs to the client. The client than
> >>> selects the certificate that is signed (directly or indirectly) by
> >>> that CA and uses that to authenticate. I'm pretty sure this is what
> >>> happens when you create a java.net.URL with the https scheme and call
> >>> openConnection on it. Since behind the scene this uses an SSLContext,
> >>> chances are high that it also works with our HTTPS transport (or that
> >>> it would be pretty easy to make it work).
> >>>
> >>> Of course this only satisfies the requirement if the two endpoints use
> >>> different CAs, which should be the usual case.
> >>>
> >>> Andreas
> >>>
> >>
> >> Hi Andreas
> >>
> >> I may be wrong about it but I believe the client can present whatever
> client
> >> cert it pleases. That cert does not _have_ to be signed by one of the
> trusted
> >> CA certs sent to client by the server. For instance, common browsers
> simply pop
> >> up a UI dialog and let you pick any client certificate available in the
> >> certificate store, if the server requests client authentication in the
> course
> >> of SSL context negotiation.
> >>
> >> Oleg
> >>
> >
> > That is possible, but it is only relevant for a scheme where the
> > consumer of the service creates a certificate himself (typically a
> > self-signed certificate) and somehow registers that with the provider
> > of the service. This implies that the provider has to manage a list of
> > recognized client certificates to authenticate the client. I don't
> > think that is a usual scheme for Web services (BTW, how would you do
> > that with Axis2?), but that it is more usual for the provider to issue
> > certificates to the consumer, so that authentication is based on the
> > signature on the client certificate. But again, this is a question
> > about the requirements.
> >
> > Andreas
> >
> >>
> >>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> >>> For additional commands, e-mail: dev-help@synapse.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> >> For additional commands, e-mail: dev-help@synapse.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> > For additional commands, e-mail: dev-help@synapse.apache.org
> >
> >
>
>
>
> --
> Paul Fremantle
> Co-Founder and CTO, WSO2
> Apache Synapse PMC Chair
> OASIS WS-RX TC Co-chair
>
> blog: http://pzf.fremantle.org
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>


-- 
Hiranya Jayathilaka
Software Engineer;
WSO2 Inc.;  http://wso2.org
E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
Blog: http://techfeast-hiranya.blogspot.com

Mime
View raw message