Return-Path: Delivered-To: apmail-incubator-cxf-commits-archive@locus.apache.org Received: (qmail 24992 invoked from network); 28 Mar 2008 18:42:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Mar 2008 18:42:14 -0000 Received: (qmail 32137 invoked by uid 500); 28 Mar 2008 18:42:13 -0000 Delivered-To: apmail-incubator-cxf-commits-archive@incubator.apache.org Received: (qmail 32014 invoked by uid 500); 28 Mar 2008 18:42:13 -0000 Mailing-List: contact cxf-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cxf-dev@incubator.apache.org Delivered-To: mailing list cxf-commits@incubator.apache.org Received: (qmail 32005 invoked by uid 99); 28 Mar 2008 18:42:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Mar 2008 11:42:13 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Mar 2008 18:41:30 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 224DE1A9832; Fri, 28 Mar 2008 11:41:49 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r642330 - in /incubator/cxf/branches/2.0.x-fixes: ./ api/src/main/java/org/apache/cxf/configuration/jsse/ common/schemas/src/main/resources/schemas/configuration/ rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ rt/tr... Date: Fri, 28 Mar 2008 18:41:45 -0000 To: cxf-commits@incubator.apache.org From: dkulp@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080328184149.224DE1A9832@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: dkulp Date: Fri Mar 28 11:41:43 2008 New Revision: 642330 URL: http://svn.apache.org/viewvc?rev=642330&view=rev Log: Merged revisions 642095 via svnmerge from https://svn.apache.org/repos/asf/incubator/cxf/trunk ........ r642095 | gmazza | 2008-03-28 02:18:19 -0400 (Fri, 28 Mar 2008) | 2 lines Reactivating hostname = SSL certificate common name (CN) check for https:// based SOAP client requests. The cxf.xml config property I chose to disable this option is "disableCNCheck". I'm open to other names if anyone can think of something better. ........ Modified: incubator/cxf/branches/2.0.x-fixes/ (props changed) incubator/cxf/branches/2.0.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java incubator/cxf/branches/2.0.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd incubator/cxf/branches/2.0.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java Propchange: incubator/cxf/branches/2.0.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: incubator/cxf/branches/2.0.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java (original) +++ incubator/cxf/branches/2.0.x-fixes/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java Fri Mar 28 11:41:43 2008 @@ -24,5 +24,24 @@ * */ public class TLSClientParameters extends TLSParameterBase { - + private boolean disableCNCheck; + + /** + * Set whether or not JSEE should omit checking if the host name + * specified in the URL matches that of the Common Name + * (CN) on the server's certificate. Default is false; + * this attribute should not be set to true during production use. + */ + public void setDisableCNCheck(boolean disableCNCheck) { + this.disableCNCheck = disableCNCheck; + } + + /** + * Returns whether or not JSSE omits checking if the + * host name specified in the URL matches that of the Common Name + * (CN) on the server's certificate. + */ + public boolean isDisableCNCheck() { + return disableCNCheck; + } } Modified: incubator/cxf/branches/2.0.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd (original) +++ incubator/cxf/branches/2.0.x-fixes/common/schemas/src/main/resources/schemas/configuration/security.xsd Fri Mar 28 11:41:43 2008 @@ -380,6 +380,16 @@ + + + + This attribute specifies if JSSE should omit checking if the + host name specified in the URL matches that of the Common Name + (CN) on the server's certificate. Default is false; this attribute + should not be set to true during production use. + + + Modified: incubator/cxf/branches/2.0.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java (original) +++ incubator/cxf/branches/2.0.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java Fri Mar 28 11:41:43 2008 @@ -76,7 +76,7 @@ if (xmlReader == null) { InputStream in = (InputStream)message.getContent(InputStream.class); if (in == null) { - throw new RuntimeException("Can't found input stream in message"); + throw new RuntimeException("Can't find input stream in message"); } xmlReader = StaxUtils.createXMLStreamReader(in); } Modified: incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java (original) +++ incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java Fri Mar 28 11:41:43 2008 @@ -38,6 +38,9 @@ throws GeneralSecurityException, IOException { + if (params.isDisableCNCheck()) { + this.setDisableCNCheck(true); + } if (params.isSetCipherSuitesFilter()) { this.setCipherSuitesFilter(params.getCipherSuitesFilter()); } Modified: incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java (original) +++ incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java Fri Mar 28 11:41:43 2008 @@ -402,7 +402,8 @@ + "' has been configured for TLS " + "keyManagers " + tlsClientParameters.getKeyManagers() + "trustManagers " + tlsClientParameters.getTrustManagers() - + "secureRandom " + tlsClientParameters.getSecureRandom()); + + "secureRandom " + tlsClientParameters.getSecureRandom() + + "Disable Common Name (CN) Check: " + tlsClientParameters.isDisableCNCheck()); } } else { if (LOG.isLoggable(Level.FINE)) { @@ -1752,7 +1753,18 @@ */ @Override protected void onFirstWrite() throws IOException { - handleHeadersTrustCaching(); + try { + handleHeadersTrustCaching(); + } catch (IOException e) { + if (e.getMessage() != null && e.getMessage().contains("HTTPS hostname wrong:")) { + throw new IOException("The https URL hostname does not match the " + + "Common Name (CN) on the server certificate. To disable this check " + + "(NOT recommended for production) set the CXF client TLS configuration " + + "property \"disableCNCheck\" to true."); + } else { + throw e; + } + } } protected void handleHeadersTrustCaching() throws IOException { Modified: incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java URL: http://svn.apache.org/viewvc/incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=642330&r1=642329&r2=642330&view=diff ============================================================================== --- incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java (original) +++ incubator/cxf/branches/2.0.x-fixes/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java Fri Mar 28 11:41:43 2008 @@ -60,7 +60,7 @@ private static final Logger LOG = LogUtils.getL7dLogger(HttpsURLConnectionFactory.class); - private static final HostnameVerifier VERIFIER = new AlwaysTrueHostnameVerifier(); + private static final HostnameVerifier DISABLE_HOSTNAME_VERIFIER = new AlwaysTrueHostnameVerifier(); /* * For development and testing only @@ -105,7 +105,7 @@ } /** - * Create a HttpURLConnection, proxified if neccessary. + * Create a HttpURLConnection, proxified if necessary. * * * @param proxy This parameter is non-null if connection should be proxied. @@ -153,17 +153,12 @@ } /** - * This class is the default hostname verifier that the - * HttpsURLConnection implementation uses to verify that - * a hostname belongs to a particular verified key/certificate - * pair. - *

- * The default is to make sure that "CN=", which - * isn't always desired. The MessageTrustDecider is - * the point at which an application can place trust in the - * certificate and target URL. We use this default of always - * returning true, delegating the trust decision to the - * MessageTrustDecider. + * This "accept all" hostname verifier is activated when the + * disableCNCheck TLS client configuration parameter is set to + * true (not recommended for production use). The default of + * false makes sure the Common Name (CN) on the server + * certificate equals that of the https:// URL provided by + * the SOAP client. */ private static class AlwaysTrueHostnameVerifier implements HostnameVerifier { @@ -212,7 +207,9 @@ socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites); } - connection.setHostnameVerifier(VERIFIER); + if (tlsClientParameters.isDisableCNCheck()) { + connection.setHostnameVerifier(DISABLE_HOSTNAME_VERIFIER); + } connection.setSSLSocketFactory(socketFactory); }