We're using an old version of Axis for the SOAP. I'm going to have to look into this further. I've got a few posts to figure out what's responsible for letting this though.
It doesn't make sense to me that the default for any lib would be to allow such a thing. And I've been looking through the code (the project is before my time) looking for anything specific to allow the behavior.
Oddly, Chrome doesn't challenge me when I try to hit the website with the wrong cert, every other browser does. That seems bad to me.
Thankfully, this isn't a super secure application or anything but I do want to get it figured.