Imagine server A calling server B over SSL and that both servers have SSL certificates installed.
Later server A again calls server B.
Is there a way for server B to know that server A is the same server in both calls without a client certificate?
In my application I issue a shared security token in the first call. But in the second call I would like to know that the security token hasn’t been copied to and is now sent from a third party C, so I’d like to add an additional check that A is still A (not necessarily the same physical server but it has the ‘A’ SSL certificate installed). I cannot enforce the use of client certificates. I cannot rely on the IP address because they are volatile.
As far as I understand I can get the server A hostname from the (EDIT: encrypted HTTP) header. But I suspect an attacker could spoof the hostname and just insert HTTP host header ‘A’ even though it is C?
I also suspect that the calling server A isn’t using its server certificate when establishing a connection to server B?
I would like to hear if I am wrong in my assumptions and / or if anyone has any suggestions other than using a client certificate
P.S. A solution could be that B could call back to A over SSL and ask if A just posed a question, but that’s rather involved and I’d like to avoid such a step.