synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Fremantle <pzf...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 10:11:53 GMT
In terms of production use, I think that the Synapse user would like
to be able to configure exactly which certificate should be used for a
specific endpoint. I'm not sure I agree that different endpoints are
likely to have different CAs. That is true in the self-signed case,
but in the case of Verisign it might not be. Another use case is the
PEPPOL infrastructure (http://peppol.eu) , where there will be many
endpoints sharing a common CA.

Paul


On Tue, Jul 21, 2009 at 10:55 AM, Andreas
Veithen<andreas.veithen@gmail.com> wrote:
> On Tue, Jul 21, 2009 at 11:30, Oleg Kalnichevski<olegk@apache.org> wrote:
>> On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
>>> > Well, if not through different stores, how can we let the KeyManager know
>>> > what cert to use for this particular endpoint?
>>>
>>> If I remember well, this is how it works: during the handshake, the
>>> server presents a list of trusted CAs to the client. The client than
>>> selects the certificate that is signed (directly or indirectly) by
>>> that CA and uses that to authenticate. I'm pretty sure this is what
>>> happens when you create a java.net.URL with the https scheme and call
>>> openConnection on it. Since behind the scene this uses an SSLContext,
>>> chances are high that it also works with our HTTPS transport (or that
>>> it would be pretty easy to make it work).
>>>
>>> Of course this only satisfies the requirement if the two endpoints use
>>> different CAs, which should be the usual case.
>>>
>>> Andreas
>>>
>>
>> Hi Andreas
>>
>> I may be wrong about it but I believe the client can present whatever client
>> cert it pleases. That cert does not _have_ to be signed by one of the trusted
>> CA certs sent to client by the server. For instance, common browsers simply pop
>> up a UI dialog and let you pick any client certificate available in the
>> certificate store, if the server requests client authentication in the course
>> of SSL context negotiation.
>>
>> Oleg
>>
>
> That is possible, but it is only relevant for a scheme where the
> consumer of the service creates a certificate himself (typically a
> self-signed certificate) and somehow registers that with the provider
> of the service. This implies that the provider has to manage a list of
> recognized client certificates to authenticate the client. I don't
> think that is a usual scheme for Web services (BTW, how would you do
> that with Axis2?), but that it is more usual for the provider to issue
> certificates to the consumer, so that authentication is based on the
> signature on the client certificate. But again, this is a question
> about the requirements.
>
> Andreas
>
>>
>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
>>> For additional commands, e-mail: dev-help@synapse.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
>> For additional commands, e-mail: dev-help@synapse.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>



-- 
Paul Fremantle
Co-Founder and CTO, WSO2
Apache Synapse PMC Chair
OASIS WS-RX TC Co-chair

blog: http://pzf.fremantle.org
paul@wso2.com

"Oxygenating the Web Service Platform", www.wso2.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message