I am working on adding support to Pidgin for client-side certificate authentication. I have this working if I connect to openfire using legacy SSL (on port 5223), but it is not working when using starttls on port 5222. I compared the ssl handshakes of each and discovered that when starttls is used the list of certificate authories in the Certificate Request message from the server (labeed Distinguished Names in the wireshark dump below) is empty, while with legacy SSL this message contains all the CAs in my client trust store. I checked and found that filter.setNeedClientAuth is being set to true in org.jivesoftware.openfire.nio.NIOConnection.startTLS.
Is this a bug or a configuration issue?
Secure Socket Layer
TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 1012
Handshake Protocol: Server Hello
Handshake Protocol: Certificate
Handshake Protocol: Server Key Exchange
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 6
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: Unknown (64)
Distinguished Names Length: 0
Handshake Protocol: Server Hello Done