From an email received via RMI group. (See comments for
header information.)

I've run into a problem with the fix for bug ID 4387023,
"SSLSocketImpl.setNeedClientAuth is not checking for servermode".

In my RMI security provider based on JSSE, I create the server-side
socket by accepting a connection with a plain ServerSocket, calling
SSLSocketFactory.createSocket to layer an SSL socket on top of the
accepted socket, and then calling SSLSocket.setUseClientMode with an
argument of false to convert the socket to a server-side socket.

I discovered under JSSE 1.0.2 that, if I wanted client authentication, I
needed to call setNeedClientAuth before calling setUseClientMode because
calling setUseClientMode initiates the handshake.

The fix to 4387023 means that this scheme no longer works. I can't call
setNeedClientAuth prior to calling setUseClientMode, because the socket
is still a client-side socket and throws IllegalArgumentException, but
calling setUseClientMode completes the handshake before I have a chance
to ask for client authentication.

How should applications use layered SSL sockets on the server side and
request client authentication in the face of this change?

- Tim