Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jaxrs-dev] SeBootstrap.SSLClientAuthentication Clarification

There is nothing odd at all. Actually in 99% of all HTTPS requests in the www, the client (= browser) definitively will NOT send a client certificate, so that's why the default is NONE.

-Markus

 

Von: jaxrs-dev [mailto:jaxrs-dev-bounces@xxxxxxxxxxx] Im Auftrag von James Perkins
Gesendet: Mittwoch, 9. März 2022 23:06
An: jaxrs developer discussions
Betreff: Re: [jaxrs-dev] SeBootstrap.SSLClientAuthentication Clarification

 

Thank you Christian. It seems a bit odd then to default to NONE since using SSL you'd expect the client to send a valid certificate.

 

On Tue, Mar 8, 2022 at 11:23 PM Christian Kaltepoth <christian@xxxxxxxxxxxx> wrote:

Hi James,

 

I guess the wording "invalid clients" is a bit confusing. As far as I understand, both OPTIONAL and MANDATORY will request a client certificate in the SSL "server hello" message. However, if the client doesn't send a client certificate (or an untrusted one), MANDATORY will lead to a handshake failure, while OPTIONAL does not.

 

Christian

 

Am Di., 8. März 2022 um 21:11 Uhr schrieb James Perkins <jperkins@xxxxxxxxxx>:

Hello All,

I'm trying to understand the usage of SSLClientAuthentication. The 3 options are NONE, OPTIONAL and MANDATORY. There is nothing in the specification about it, but the JavaDoc says:

 

"Secure socket client authentication policy


This policy is used in secure socket handshake to control whether the server requests client authentication, and whether successful client authentication is mandatory (i. e. connection attempt will fail for invalid clients)."

 

What I don't really understand is what is the use-case for an invalid client certificate? It seems a bit odd to me to allow invalid client certs, but I might just be missing some use-case.

 

--

James R. Perkins

JBoss by Red Hat

_______________________________________________
jaxrs-dev mailing list
jaxrs-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaxrs-dev


 

--

_______________________________________________
jaxrs-dev mailing list
jaxrs-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaxrs-dev


 

--

James R. Perkins

JBoss by Red Hat


Back to the top