On Fri, Aug 15, 2008 at 2:51 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: > I'm not quite clear about your question, Łukasz. > > Do you mean, what happens if the server requires client authentication, and > the client doesn't provide a keypair? In that case, the handshake will > definitely fail. > > The OOTB server-side behavior in CXF should be to not require client > authentication (via a keypair), though if you're talking to a 3rd party SSL > server, it will depend on how the server is configured. > > The changes Dan made were to allow clients to connect to servers that don't > require TLS client authentication without requiring any explicit client-side > config -- in that case the truststore in the JVM is used during the > handshake to verify trust in the server. > > Of course, this is a pretty weak trust model, but that's okay -- no one > really bothers to check the hashes or signatures on the JVM anyway, so who > cares if your JVM has been hacked? Might as well just turn security off, > which is what most people do, anyway. > > -Fred
First, Fred and Glen - thank you both for your answers. Maybe I will describe what I am trying to do in more details I have a web service provider configured with a CXFServlet under Glassfish v2. HTTP SSL listener is configured to require client authentication. This web service provider is a part of an enterprise application. On the other side, I have a web service client connecting from web application (also working under Glassfish v2). I managed to configure CXF to use timestamp, sign and encode messages. Keystores under both provider enterprise application and client web application are configured properly. Now I want to turn on HTTPS to secure the connection additionally. As I understand, you have to add <http:conduit> configuration element to the client configuration. I was thinking how the client is going to authenticate if there is no explicit certificate alias mentioned in the configuration? Maybe the client will use the certificate of the application server (Glassfish v2) it is working on? Cheers! -- Łukasz
