cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > TLS Configuration
Date Wed, 14 Aug 2013 15:51:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration">TLS
Configuration</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| {{cipherSuitesFilter}} | | filters
of the supported CipherSuites that will be supported and used if available. | <br>|
{{certConstraints}} | | Certificate Constraints specification. | <br></td></tr>
            <tr><td class="diff-changed-lines" >| <span class="diff-changed-words">{{secureRandom<span
class="diff-added-chars"style="background-color: #dfd;">Parameters</span>}}</span>
| JVM default Secure Random | SecureRandom specification. | <br></td></tr>
            <tr><td class="diff-unchanged" >| {{secureSocketProtocol}} | &quot;TLS&quot;
| Protocol Name. Most common example are &quot;SSL&quot;, &quot;TLS&quot;
or &quot;TLSv1&quot;. | <br>| {{certAlias}} | | Cert alias to use. Useful when
keystore has multiple certs. | <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>|| Attribute || Default
|| Description || <br></td></tr>
            <tr><td class="diff-changed-lines" >| <span class="diff-changed-words">{{disableCN<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">c</span><span
class="diff-added-chars"style="background-color: #dfd;">C</span>heck}}</span>
| {{false}} | Indicates whether that the hostname given in the HTTPS URL will be checked against
the service&#39;s Common Name (CN) given in its certificate during requests, and failing
if there is a mismatch.  If set to {{true}} (*not recommended for production use*), such checks
will be bypassed.  That will allow you, for example, to use a URL such as {{localhost}} during
development. | <br></td></tr>
            <tr><td class="diff-unchanged" >| {{sslSocketFactory}} | | A SSLSocketFactory
to use. All other bean properties are ignored if this is set. | <br>| {{sslCacheTimeout}}
| 86400 seconds (24 hours) | SSL Cache Timeout in seconds. | <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| {{useHttpsURLConnectionDefaultHostnameVerifier}}
| {{false}} | This attribute specifies if [HttpsURLConnection.getDefaultHostnameVerifier()|http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()]
should be used to create https connections. If &#39;{{true}}&#39;, &#39;{{disableCNCheck}}&#39;
configuration parameter is ignored. | <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Note :  <span class="diff-changed-words">{{disableCN<span
class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">c</span><span
class="diff-added-chars"style="background-color: #dfd;">C</span>heck}}</span>
is a parameterized boolean, you can use a fixed variable {{true}}\|{{false}} as well as a
[Spring externalized property|http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer]
variable (e.g. {{${disable-https-hostname-verification\}}}) or a [Spring expression|http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef]
(e.g. {{#{systemProperties\[&#39;dev-mode&#39;\]\}}}). <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Sample :  <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >   &lt;!-- deactivate HTTPS url
hostname verification (localhost, etc)    --&gt; <br>   &lt;!-- WARNING ! disableCNcheck=true
should NOT be used in production --&gt; <br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;http-conf:tlsClientParameters
<span class="diff-changed-words">disableCN<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">c</span><span
class="diff-added-chars"style="background-color: #dfd;">C</span>heck=&quot;true&quot;</span>
/&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >   ... <br> &lt;/http-conf:conduit&gt;
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <div>
<ul>
    <li><a href='#TLSConfiguration-TLSParameterscommontobothClientsandServers'>TLS
Parameters common to both Clients and Servers</a></li>
    <li><a href='#TLSConfiguration-ClientTLSParameters'>Client TLS Parameters</a></li>
    <li><a href='#TLSConfiguration-ServerTLSParameters'>Server TLS Parameters</a></li>
</ul></div>

<h1><a name="TLSConfiguration-TLSParameterscommontobothClientsandServers"></a>TLS
Parameters common to both Clients and Servers</h1>

<p>The TLS Parameters common to both Clients and Servers are given <a href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java"
class="external-link" rel="nofollow">here</a>:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>keyManagers</tt> </td>
<td class='confluenceTd'> JVM default Key Managers </td>
<td class='confluenceTd'> Key Managers to hold X509 certificates. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>trustManagers</tt> </td>
<td class='confluenceTd'> JVM default Trust Managers </td>
<td class='confluenceTd'> TrustManagers to validate peer X509 certificates. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>jsseProvider</tt> </td>
<td class='confluenceTd'> JVM default provider associated with protocol </td>
<td class='confluenceTd'> JSSE provider name. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>cipherSuites</tt> </td>
<td class='confluenceTd'> JVM default cipher suites </td>
<td class='confluenceTd'> CipherSuites that will be supported. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>cipherSuitesFilter</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> filters of the supported CipherSuites that will be supported
and used if available. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>certConstraints</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> Certificate Constraints specification. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>secureRandomParameters</tt> </td>
<td class='confluenceTd'> JVM default Secure Random </td>
<td class='confluenceTd'> SecureRandom specification. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>secureSocketProtocol</tt> </td>
<td class='confluenceTd'> "TLS" </td>
<td class='confluenceTd'> Protocol Name. Most common example are "SSL", "TLS" or "TLSv1".
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>certAlias</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> Cert alias to use. Useful when keystore has multiple certs.
</td>
</tr>
</tbody></table>
</div>


<h1><a name="TLSConfiguration-ClientTLSParameters"></a>Client TLS Parameters</h1>

<p>In addition to the TLS Parameters common to both Clients and Servers, there are some
parameters that are <a href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java"
class="external-link" rel="nofollow">specific</a> to Clients:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>disableCNCheck</tt> </td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> Indicates whether that the hostname given in the HTTPS URL
will be checked against the service's Common Name (CN) given in its certificate during requests,
and failing if there is a mismatch.  If set to <tt>true</tt> (<b>not recommended
for production use</b>), such checks will be bypassed.  That will allow you, for example,
to use a URL such as <tt>localhost</tt> during development. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>sslSocketFactory</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> A SSLSocketFactory to use. All other bean properties are ignored
if this is set. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>sslCacheTimeout</tt> </td>
<td class='confluenceTd'> 86400 seconds (24 hours) </td>
<td class='confluenceTd'> SSL Cache Timeout in seconds. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>useHttpsURLConnectionDefaultSslSocketFactory</tt>
</td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> This attribute specifies if <a href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()"
class="external-link" rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a>
should be used to create https connections. If '<tt>true</tt>', '<tt>jsseProvider</tt>',
'<tt>secureSocketProtocol</tt>', '<tt>trustManagers</tt>', '<tt>keyManagers</tt>',
'<tt>secureRandom</tt>', '<tt>cipherSuites</tt>' and '<tt>cipherSuitesFilter</tt>'
configuration parameters are ignored. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>useHttpsURLConnectionDefaultHostnameVerifier</tt>
</td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> This attribute specifies if <a href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()"
class="external-link" rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a>
should be used to create https connections. If '<tt>true</tt>', '<tt>disableCNCheck</tt>'
configuration parameter is ignored. </td>
</tr>
</tbody></table>
</div>


<p>Note :  <tt>disableCNCheck</tt> is a parameterized boolean, you can use
a fixed variable <tt>true</tt>&#124;<tt>false</tt> as well as
a <a href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer"
class="external-link" rel="nofollow">Spring externalized property</a> variable (e.g.
<tt>${disable-https-hostname-verification</tt>}) or a <a href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef"
class="external-link" rel="nofollow">Spring expression</a> (e.g. <tt>#{systemProperties['dev-mode']</tt>}).</p>

<p>Sample : </p>

<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL
hostname verification (usage of localhost, etc)</b></div><div class="codeContent
panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
 ...
 &lt;http-conf:conduit 
     name="{http://example.com/}HelloWorldServicePort.http-conduit"&gt;

   &lt;!-- deactivate HTTPS url hostname verification (localhost, etc)    --&gt;
   &lt;!-- WARNING ! disableCNcheck=true should NOT be used in production --&gt;
   &lt;http-conf:tlsClientParameters disableCNCheck="true" /&gt;
   ...
 &lt;/http-conf:conduit&gt;
 ...
</pre>
</div></div>

<h1><a name="TLSConfiguration-ServerTLSParameters"></a>Server TLS Parameters</h1>

<p>In addition to the TLS Parameters common to both Clients and Servers, there are some
parameters that are <a href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java"
class="external-link" rel="nofollow">specific</a> to Servers:</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>clientAuthentication</tt> </td>
<td class='confluenceTd'> Not "wanted" or "required" </td>
<td class='confluenceTd'> Allows you to configure whether client authentication is "wanted"
and/or "required. </td>
</tr>
</tbody></table>
</div>


    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=34014457&revisedVersion=5&originalVersion=4">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message