axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <axis-...@ws.apache.org>
Subject [jira] Commented: (AXIS-2216) allow to restrict ciphers when doing axis client calls
Date Tue, 18 Oct 2005 11:15:53 GMT
    [ http://issues.apache.org/jira/browse/AXIS-2216?page=comments#action_12332351 ] 

Ralf Hauser commented on AXIS-2216:
-----------------------------------

see also AXIS-1982 for issues of thread-safe-ness

> allow to restrict ciphers when doing axis client calls
> ------------------------------------------------------
>
>          Key: AXIS-2216
>          URL: http://issues.apache.org/jira/browse/AXIS-2216
>      Project: Apache Axis
>         Type: Bug
>     Versions: 1.2.1
>  Environment: Debian linux, jdk 1.5
>     Reporter: Ralf Hauser

>
> Java SSL by default allows all ciphers - even the null cipher and 40 bit export ciphers.
> So, a man-in-the-middle can alter the SSL handshake messages and possibly cause the axis
client and server to agree on a weak cipher.
> When I use a different SSLSocketFactoryImpl where I can restrict the ciphers available,
I get the below error.
> In theory, it is sufficient if either the server or the client does ensure only strong
ciphers are used.
> I publish my factory by doing
>   Security.setProperty("ssl.SocketFactory.provider", "com.domain.security.crypto.SSLSocketFactoryImplMy");
> similar situation with apache james  in issue JAMES-385
> I would hope that there will eventually be a 
>     org.apache.axis.client.Call.setEnabledCiphers(String commaDelimitedCiphers)
> method to take care of this.
> See also http://issues.apache.org/bugzilla/show_bug.cgi?id=35765 for how to facilitate
the cipher list naming.
> -------------------------------
>         java.net.SocketException: com.domain.security.crypto.SSLSocketFactoryImplMy
> AxisFault
>  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
>  faultSubcode:
>  faultString: java.net.SocketException: com.domain.security.crypto.SSLSocketFactoryImplMy
>  faultActor:
>  faultNode:
>  faultDetail:
>         {http://xml.apache.org/axis/}stackTrace:java.net.SocketException: com.domain.security.crypto.SSLSocketFactoryImplMy
>         at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:158)
>         at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:92)
>         at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
>         at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
>         at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
>         at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
>         at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
>         at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
>         at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
>         at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
>         at org.apache.axis.client.Call.invoke(Call.java:2748)
>         at org.apache.axis.client.Call.invoke(Call.java:2424)
>         at org.apache.axis.client.Call.invoke(Call.java:2347)
>         at org.apache.axis.client.Call.invoke(Call.java:1804)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message