cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Client HTTP Transport (including SSL support)
Date Tue, 03 Nov 2009 16:30:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29?focusedCommentId=5604449#comment-5604449">Client
HTTP Transport (including SSL support)</a></h2>
        <h4>Page
        <b>commented</b> by              <a href="http://cwiki.apache.org/confluence/display/~jared.r.knipp@gmail.com">Jared
Knipp</a>
    </h4>
    <br/>
    <div class="notificationGreySide">
       <p>It should be noted the cipher suites used in your default example will not
work with SSL servers that require a higher level of cipher suites, i.e. stronger encryption.
 I found this out the hard way when a third party server moved from what appeared to be an
Apache 1.3 http server to Apache 2.x.  </p>

<p>The previous web service endpoint using the example cipher suite filters allowed
me to communicate using a dual authentication method where I had to export the endpoint public
certificate located in my trust store.  When the server / data center change occurred, I could
no longer connect as before even after updating the certificate.  I received a the following
error:  </p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java"> 
2009-10-30 19:37:37:745 INFO  [pool-2-thread-4] [PhaseInterceptorChain] - Interceptor has
thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
....
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
</pre>
</div></div>

<p>Later I found out that the new server expected to communicate over a 3DES SSL cipher
suite because the new Apache configuration was set to use strong encryption (see encryption
<a href="http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html" rel="nofollow">http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html</a>).</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
&lt;!-- 
  Cipher suites filters specify the cipher suite to allow/disallow in SSL communcation  
  Please make sure the server can communicate over the included cipher suites or you may
  experience a handshake_failure.
 --&gt;
<span class="code-tag">&lt;sec:cipherSuitesFilter&gt;</span>
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}WITH_3DES{_}{*}*.*<span
class="code-tag">&lt;/sec:include&gt;</span>
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}EXPORT{_}{*}*.*<span
class="code-tag">&lt;/sec:include&gt;</span>
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}EXPORT1024{_}{*}*.*<span
class="code-tag">&lt;/sec:include&gt;</span>
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}WITH_DES{_}{*}*.*<span
class="code-tag">&lt;/sec:include&gt;</span>
  <span class="code-tag">&lt;sec:exclude&gt;</span>.*{_}WITH_NULL{_}{*}*.*<span
class="code-tag">&lt;/sec:exclude&gt;</span>
  <span class="code-tag">&lt;sec:exclude&gt;</span>.*{_}DH_anon{_}{*}*.*<span
class="code-tag">&lt;/sec:exclude&gt;</span>
<span class="code-tag">&lt;/sec:cipherSuitesFilter&gt;</span>
</pre>
</div></div> 
    </div>

        
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29?focusedCommentId=5604449#comment-5604449">View
Online</a>
              |
       <a id="reply-5604449" href="http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+%28including+SSL+support%29?replyToComment=5604449#comment-5604449">Reply
To This</a>
           </div>

</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message