Java Network Programming, Second Edition By Elliotte Rusty Harold Unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. This page was updated January 30, 2003 Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification UNCONFIRMED errors and suggestions from readers: [204] 4-5th paragraph: In the description of getHost() method, it says that user info is included in host part. But it is not the case in JDK 1.3 nor JDK1.1.X. [402] The bottom paragraph now reads: setUseClientMode() is said to determine whether a socket will need to use authentication in its first handshake. This is only true in that when it acts as a server, by passing this method false, it will follow the SSL handshake protocol as a server, i.e., by doing a "server authentication". When passed true, the SSLSocket plays the client part of the handshake, regardless of whether the client is required to authenticate itself to the server (it doesn't need to, but can). setUseClientMode() has little to do with "client authentication" in the sense of an SSL handshake. It only serves to determine which role of the handshake it will be playing - client or server. In fact, if getUseClientMode() is false, it is in server mode and cannot do client authentication because it necessarily will authenticate itself as a server. An SSLServerSocket's setNeedClientAuth(true) is necessary and sufficient for requiring client authentication. It is up to the client to setup an SSLContext in which it will be able to provide the information necessary to complete a client authentication. It should read: The setUseClientMode() method determines whether this socket will act as a server or a client in its first handshake. When acting as a server it automatically performs a server authentication as required by the SSL handshake protocol, but when acting as a client, it may or may not be required to perform a client authentication. Client authentication is performed when the SSLServerSocket's setNeedClientAuth() is passed true. The client must ensure it is created in an SSLContext sufficient to handle a client authentication.