Open MediumOne opened 8 years ago
jekh
commented
8 years ago I'd be kind of curious to hear from people who actually use this feature (I haven't). But documentation update + change to not authenticate by default seems entirely reasonable to me.
MediumOne
commented
8 years ago Let me add a post on the littleproxy Google group asking for any comments on this change.
If we decide to change the default value to false, then how do we handle upgrades? Users who have it enabled already by default (without calling withAuthenticateSslClients()) need to now make a change in their applications to enable it. Is this okay? Or do we make any guarantees about forward compatibility? :)
I wanted to run a littleproxy instance with SSL enabled. I had used the withSslEngineSource API in the bootstrap for this. When I used my client to talk to this proxy, I got an SSL error (javax.net.ssl.SSLHandshakeException: null cert chain). It was not obvious that SSL client authentication was enabled and that the proxy was expecting the client certificates. It took me sometime to figure this out.
I believe that the default value of withAuthenticateSslClients should be changed to false because I guess disabling SSL client auth would be the more common scenario. But I could be wrong. Another solution is to update the method documentation of withSslEngineSource to mention that SSL client authentication is enabled by default (with a note to see withAuthenticateSslClients method).
Please do let me know which is the better solution and I can raise a PR with the changes.