I'm not quite clear about your question, Łukasz.
Do you mean, what happens if the server requires client
authentication, and the client doesn't provide a keypair? In that
case, the handshake will definitely fail.
The OOTB server-side behavior in CXF should be to not require client
authentication (via a keypair), though if you're talking to a 3rd
party SSL server, it will depend on how the server is configured.
The changes Dan made were to allow clients to connect to servers that
don't require TLS client authentication without requiring any explicit
client-side config -- in that case the truststore in the JVM is used
during the handshake to verify trust in the server.
Of course, this is a pretty weak trust model, but that's okay -- no
one really bothers to check the hashes or signatures on the JVM
anyway, so who cares if your JVM has been hacked? Might as well just
turn security off, which is what most people do, anyway.
-Fred
On Aug 14, 2008, at 9:53 PM, Glen Mazza wrote:
Łukasz Pijanowski wrote:
One more question: in the http:conduit configuration there is no
client certificate's alias/name statement. What will happen if client
authentication is turned on?
You can give username and passwords like so:
http://www.jroller.com/gmazza/date/20080322
HTH,
Glen
--
View this message in context:
http://www.nabble.com/CXF-over-HTTPS-on-Glassfish-and-Tomcat-tp18729679p18992545.html
Sent from the cxf-user mailing list archive at Nabble.com.
