synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 09:55:51 GMT
On Tue, Jul 21, 2009 at 11:30, Oleg Kalnichevski<olegk@apache.org> wrote:
> On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote:
>> > Well, if not through different stores, how can we let the KeyManager know
>> > what cert to use for this particular endpoint?
>>
>> If I remember well, this is how it works: during the handshake, the
>> server presents a list of trusted CAs to the client. The client than
>> selects the certificate that is signed (directly or indirectly) by
>> that CA and uses that to authenticate. I'm pretty sure this is what
>> happens when you create a java.net.URL with the https scheme and call
>> openConnection on it. Since behind the scene this uses an SSLContext,
>> chances are high that it also works with our HTTPS transport (or that
>> it would be pretty easy to make it work).
>>
>> Of course this only satisfies the requirement if the two endpoints use
>> different CAs, which should be the usual case.
>>
>> Andreas
>>
>
> Hi Andreas
>
> I may be wrong about it but I believe the client can present whatever client
> cert it pleases. That cert does not _have_ to be signed by one of the trusted
> CA certs sent to client by the server. For instance, common browsers simply pop
> up a UI dialog and let you pick any client certificate available in the
> certificate store, if the server requests client authentication in the course
> of SSL context negotiation.
>
> Oleg
>

That is possible, but it is only relevant for a scheme where the
consumer of the service creates a certificate himself (typically a
self-signed certificate) and somehow registers that with the provider
of the service. This implies that the provider has to manage a list of
recognized client certificates to authenticate the client. I don't
think that is a usual scheme for Web services (BTW, how would you do
that with Axis2?), but that it is more usual for the provider to issue
certificates to the consumer, so that authentication is based on the
signature on the client certificate. But again, this is a question
about the requirements.

Andreas

>
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
>> For additional commands, e-mail: dev-help@synapse.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
> For additional commands, e-mail: dev-help@synapse.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message