[
https://issues.apache.org/jira/browse/CALCITE-2285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463201#comment-16463201
]
Karan Mehta commented on CALCITE-2285:
--------------------------------------
{quote}
I'm familiar with two-way SSL/mutual authn, but I'm getting the impression that
MTLS goes farther than that? Is this something that is generally implemented by
all HTTP servers
{quote}
First level check for MTLS includes whether the client cert if verified by one
of the trusted roots present in Server truststore or if no truststore is
provided then it checks if both the server and client side certs have same
roots.
Customized logic can be added to filter/authenticate users based on other
fields present in the cert. For example, we can use CN field of the cert to
whitelist certain hosts (since CN field usually contains hostname) or store
client information in OU field and whitelist certain clients based on it.
{quote}
Is this something that is generally implemented by all HTTP servers?
{quote}
Not necessarily, it just extra security measure. Generally used only in
internal environments, for example, company servers, where all clients are
well-known in advance.
> Support client cert keystore for Avatica Client
> -----------------------------------------------
>
> Key: CALCITE-2285
> URL: https://issues.apache.org/jira/browse/CALCITE-2285
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Karan Mehta
> Assignee: Karan Mehta
> Priority: Major
>
> Currently Avatica only supports adding trust-store in {{SSLContext}} in all
> {{AvaticaHttpClient}} implementations. If keystore support it added, MTLS
> connections can be established as well.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
