cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > TLS Configuration
Date Mon, 12 Aug 2013 15:20:01 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><s>TLS Configuration</s></h2>
     <h4>Page <b>removed</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
     <br/>
     <div class="notificationGreySide">
         
<p>The TLSClientParameters are listed <a href="https://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java"
class="external-link" rel="nofollow">here</a> and <a href="https://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java"
class="external-link" rel="nofollow">here</a>.  </p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Since </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>certConstraints</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> Certificate Constraints specification. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>cipherSuites</tt> </td>
<td class='confluenceTd'> default sslContext cipher suites </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> CipherSuites that will be supported. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>cipherSuitesFilter</tt> </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> filters of the supported CipherSuites that will be supported
and used if available. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>disableCNcheck</tt> </td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> 2.0.5 </td>
<td class='confluenceTd'> Indicates whether that the hostname given in the HTTPS URL
will be checked against the service's Common Name (CN) given in its certificate during SOAP
client requests, and failing if there is a mismatch.  If set to <tt>true</tt>
(<b>not recommended for production use</b>), such checks will be bypassed.  That
will allow you, for example, to use a URL such as <tt>localhost</tt> during development.
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>jsseProvider</tt> </td>
<td class='confluenceTd'> default JVM provider associated with protocol </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> JSSE provider name. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>keyManagers</tt> </td>
<td class='confluenceTd'> JVM default Key Managers </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> Key Managers to hold X509 certificates. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>secureRandomParameters</tt> </td>
<td class='confluenceTd'> JVM default Secure Random </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> SecureRandom specification. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>secureSocketProtocol</tt> </td>
<td class='confluenceTd'> "TLS" </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> Protocol Name. Most common example are "SSL", "TLS" or "TLSv1".
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>trustManagers</tt> </td>
<td class='confluenceTd'> JVM default Trust Managers </td>
<td class='confluenceTd'>&nbsp;</td>
<td class='confluenceTd'> TrustManagers to validate peer X509 certificates. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>useHttpsURLConnectionDefaultSslSocketFactory</tt>
</td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> 2.2.7 </td>
<td class='confluenceTd'> specifies if <a href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()"
class="external-link" rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a>
should be used to create https connections. If '<tt>true</tt>', '<tt>jsseProvider</tt>',
'<tt>secureSocketProtocol</tt>', '<tt>trustManagers</tt>', '<tt>keyManagers</tt>',
'<tt>secureRandom</tt>', '<tt>cipherSuites</tt>' and '<tt>cipherSuitesFilter</tt>'
configuration parameters are ignored. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>useHttpsURLConnectionDefaultHostnameVerifier</tt>
</td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> 2.2.7 </td>
<td class='confluenceTd'> This attribute specifies if <a href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()"
class="external-link" rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a>
should be used to create https connections. If '<tt>true</tt>', '<tt>disableCNCheck</tt>'
configuration parameter is ignored. </td>
</tr>
</tbody></table>
</div>



<p>Note :  <tt>disableCNcheck</tt> is a parameterized boolean, you can use
a fixed variable <tt>true</tt>&#124;<tt>false</tt> as well as
a <a href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer"
class="external-link" rel="nofollow">Spring externalized property</a> variable (e.g.
<tt>${disable-https-hostname-verification</tt>}) or a <a href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef"
class="external-link" rel="nofollow">Spring expression</a> (e.g. <tt>#{systemProperties['dev-mode']</tt>}).</p>

<p>Sample : </p>

<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader"
style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL
hostname verification (usage of localhost, etc)</b></div><div class="codeContent
panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
 ...
 &lt;http-conf:conduit 
     name="{http://example.com/}HelloWorldServicePort.http-conduit"&gt;

   &lt;!-- deactivate HTTPS url hostname verification (localhost, etc)    --&gt;
   &lt;!-- WARNING ! disableCNcheck=true should NOT be used in production --&gt;
   &lt;http-conf:tlsClientParameters disableCNcheck="true" /&gt;
   ...
 &lt;/http-conf:conduit&gt;
 ...
</pre>
</div></div>
     </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message