I am working on a server to server integration and I want to know from the initiating side of an https request whether client certification authentication was used. Ideally I want to be able to mandate that it is used, however I have no leads on how to achieve this from Java. Currently I am using the Apache Commons Http client.
As I understand from java https client certificate authentication, use of client authentication has to be initiated by the recipient of the https request and I have found nothing client side to mandate it or even to report when it has occurred.
If this behaviour is not possible, then I will probably fall back to encrypting the http payload separately to the https connection. Which means double encryption as https would still be used, and that feels somewhat clunky.
No. It cannot be enforced from the client side, it is only enforced by the server.
The plain https (one-way) is basically checking if the server is trusted by the client, it the client trusts the server, the communication happens. But the client authentication is a step further, on top of the client trusting the server, the server also tries to authenticate the user. Only if both parties are trusted by each other, the communication happens.
All of this chain of trust verification happens at protocol level. You don't have to worry about how it will happen. All you have to do is setup the chain-of-trust right (certificate chain in truststore).
Your concept of double encryption is not a feasible solution. The client and the server first talk to each other in plain text to see if they can communicate in a secured way (https) here on. Once they come to terms, all of the traffic will be encrypted from there on. Including your payload.
There are few security challenges when you are encrypting the payload on the server and decrypting on the client side using your own key, like, how do you transport the key to decrypt to the client side?