Two more minor points regarding ‘non-standard’ CAs and SSL connections.
When an SSL client connects to a webMethods IS SSL port, IS returns a list of trusted CA authorities to the client. You can view this by running this OpenSSL test client command:
openssl s_client -host <IS> -port <IS_SSL_PORT>
(See output under “Acceptable client certificate CA names…”)
Perhaps this information is only required when client certificate authentication is supported by the server. Connecting to GOOGLE.COM via SSL, for instance, does not return the list of CAs, but connecting to SDN.SAP.COM (which uses client certificates) does return a small list of acceptable client CAs.
I see two issues with this behavior and ‘non-standard’ CAs:
- As the list of trusted CAs keeps growing, SSL connection setup overhead increases slightly. (Usually, this is too minor to be an issue)
- [i]However, an SSL client may obtain information on third-party business relationships of the company running the SSL server [/i] (because the third-party self-signed CAs are returned to the client.)