If I was to use a client certificate when connecting to a server over HTTPS, how would the SSL implementation (JSSE) figure out which certificate to send (assuming there are many in the client's keystore)?
Thanks Alex, However, I already knew that much. What I'm wondering is what happens under the covers if I don't locate the Certificate myself but instead let the JSSE "https" handler take care of everything -- will it blindly pick the first certificate from the keystore or use some kind of "preference" logic to determine the "best match" to what the server is requesting during the handshake? Please, just say so if I'm way off here. I'm really new to client certificates...
Hi Lasse, Yes a client certificate is still required in spite of this not really being evident in the second snippet of code. All the implementation hidden underneath the HttpsURLConnection is literally (almost) identical to the first code snippet. It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on. Hope that helps. Cheers, Alex
Originally posted by Alex Black: It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
So would it be a fair guess that "under the hood", the code is actually just picking the first certificate from the keystore? The other option, I think, would be that the server indicates some sort of preferences for the client certificate (a bit like the client advertises all the algorithms it knows upon starting the handshake) based on which the "https" protocol handler selects one of the client's certificates to be sent.