cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF Documentation > Client HTTP Transport (including SSL support)
Date Tue, 03 Nov 2009 16:30:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Client
HTTP Transport (including SSL support)</a></h2>
        <b>commented</b> by              <a href="">Jared
    <div class="notificationGreySide">
       <p>It should be noted the cipher suites used in your default example will not
work with SSL servers that require a higher level of cipher suites, i.e. stronger encryption.
 I found this out the hard way when a third party server moved from what appeared to be an
Apache 1.3 http server to Apache 2.x.  </p>

<p>The previous web service endpoint using the example cipher suite filters allowed
me to communicate using a dual authentication method where I had to export the endpoint public
certificate located in my trust store.  When the server / data center change occurred, I could
no longer connect as before even after updating the certificate.  I received a the following
error:  </p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java"> 
2009-10-30 19:37:37:745 INFO  [pool-2-thread-4] [PhaseInterceptorChain] - Interceptor has
thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
Caused by: Received fatal alert: handshake_failure

<p>Later I found out that the new server expected to communicate over a 3DES SSL cipher
suite because the new Apache configuration was set to use strong encryption (see encryption
<a href="" rel="nofollow"></a>).</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
  Cipher suites filters specify the cipher suite to allow/disallow in SSL communcation  
  Please make sure the server can communicate over the included cipher suites or you may
  experience a handshake_failure.
<span class="code-tag">&lt;sec:cipherSuitesFilter&gt;</span>
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}WITH_3DES{_}{*}*.*<span
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}EXPORT{_}{*}*.*<span
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}EXPORT1024{_}{*}*.*<span
  <span class="code-tag">&lt;sec:include&gt;</span>.*{_}WITH_DES{_}{*}*.*<span
  <span class="code-tag">&lt;sec:exclude&gt;</span>.*{_}WITH_NULL{_}{*}*.*<span
  <span class="code-tag">&lt;sec:exclude&gt;</span>.*{_}DH_anon{_}{*}*.*<span
<span class="code-tag">&lt;/sec:cipherSuitesFilter&gt;</span>

    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a id="reply-5604449" href="">Reply
To This</a>


View raw message