Moved client cert checking into Authenticator #273
…or client certs is implemented as an Authenticator instead. Partially implements #223, but it retains backward compatibility with the current configuration.
There will be still a problem for our use case, since the client certificate will be validated still that is signed by a CA. This happens before the authenticators are called, when setting up the HTTPS subsystem.
So I'm afraid that its not possible to have SSL with allowing both, client cert authentication and basic authentication without a prior client cert verification.
The authenticator is used only for some extra checks, like whether the presented certificate is indeed a client certificate (and not a server certificate), and whether the enclosed principal matches a configured value.
The check, whether a client cert is presented and whether it is signed by a given CA (stored in the keystore) happens before, internally in the HttpsServer which we cant influence much except for configuring it.