Re: [jaxrs-dev] SeBootstrap.SSLClientAuthentication Clarification

[James Perkins <jperkins@xxxxxxxxxx>]

I see, sorry. This is referring to client authentication with certificates. I was thinking more the actual TLS handshake, not the authentication authorization with certificates.

On Wed, Mar 9, 2022 at 10:48 PM Markus Karg <markus@xxxxxxxxxxxxxxx> wrote:

The use case is that the server could accept both types of clients, those with cert and those without. Why an application programmers does want to do that, is up to him. The API shall not limit him just because you do not know such a use case.

-Markus

 

Von: jaxrs-dev [mailto:jaxrs-dev-bounces@xxxxxxxxxxx] Im Auftrag von James Perkins
Gesendet: Dienstag, 8. März 2022 21:11
An: jaxrs-dev
Betreff: [jaxrs-dev] SeBootstrap.SSLClientAuthentication Clarification

 

Hello All,

I'm trying to understand the usage of SSLClientAuthentication. The 3 options are NONE, OPTIONAL and MANDATORY. There is nothing in the specification about it, but the JavaDoc says:

 

"Secure socket client authentication policy

This policy is used in secure socket handshake to control whether the server requests client authentication, and whether successful client authentication is mandatory (i. e. connection attempt will fail for invalid clients)."

 

What I don't really understand is what is the use-case for an invalid client certificate? It seems a bit odd to me to allow invalid client certs, but I might just be missing some use-case.

 

--

James R. Perkins

JBoss by Red Hat

_______________________________________________
jaxrs-dev mailing list
jaxrs-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jaxrs-dev

--

James R. Perkins

JBoss by Red Hat