Openfire supports client certificate authentication in conjunction with SASL-EXTERNAL. However, I haven’t been able to find any evidence (by scouring the web) that it supports it also over HTTPS BOSH or WSS websocket.
My understanding is that for client certificates to be supported with HTTPS/BOSH, the Openfire BOSH connection manager must explicitly request from the client a signed certificate, otherwise the browser will not send one.
Does openfire support this usecase (client certificate auth over BOSH)?
I think Openfire supports this through the httpbind.client.cert.policy property, which can have one of these values:
disabled: No authentication will be performed on the client. Client credentials will not be verified while negotiating TLS.
wanted: Clients will try to be authenticated. Might or migth not fail when clients provide no or an invalid certificate (not sure, might even be implementation specific)