synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Fremantle <>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 10:11:53 GMT
In terms of production use, I think that the Synapse user would like
to be able to configure exactly which certificate should be used for a
specific endpoint. I'm not sure I agree that different endpoints are
likely to have different CAs. That is true in the self-signed case,
but in the case of Verisign it might not be. Another use case is the
PEPPOL infrastructure ( , where there will be many
endpoints sharing a common CA.


On Tue, Jul 21, 2009 at 10:55 AM, Andreas
Veithen<> wrote:
> On Tue, Jul 21, 2009 at 11:30, Oleg Kalnichevski<> wrote:
>> On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
>>> > Well, if not through different stores, how can we let the KeyManager know
>>> > what cert to use for this particular endpoint?
>>> If I remember well, this is how it works: during the handshake, the
>>> server presents a list of trusted CAs to the client. The client than
>>> selects the certificate that is signed (directly or indirectly) by
>>> that CA and uses that to authenticate. I'm pretty sure this is what
>>> happens when you create a with the https scheme and call
>>> openConnection on it. Since behind the scene this uses an SSLContext,
>>> chances are high that it also works with our HTTPS transport (or that
>>> it would be pretty easy to make it work).
>>> Of course this only satisfies the requirement if the two endpoints use
>>> different CAs, which should be the usual case.
>>> Andreas
>> Hi Andreas
>> I may be wrong about it but I believe the client can present whatever client
>> cert it pleases. That cert does not _have_ to be signed by one of the trusted
>> CA certs sent to client by the server. For instance, common browsers simply pop
>> up a UI dialog and let you pick any client certificate available in the
>> certificate store, if the server requests client authentication in the course
>> of SSL context negotiation.
>> Oleg
> That is possible, but it is only relevant for a scheme where the
> consumer of the service creates a certificate himself (typically a
> self-signed certificate) and somehow registers that with the provider
> of the service. This implies that the provider has to manage a list of
> recognized client certificates to authenticate the client. I don't
> think that is a usual scheme for Web services (BTW, how would you do
> that with Axis2?), but that it is more usual for the provider to issue
> certificates to the consumer, so that authentication is based on the
> signature on the client certificate. But again, this is a question
> about the requirements.
> Andreas
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Paul Fremantle
Co-Founder and CTO, WSO2
Apache Synapse PMC Chair


"Oxygenating the Web Service Platform",

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message