cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Reactivate the SSL certificate CN = https URL hostname check?
Date Wed, 26 Mar 2008 09:12:57 GMT

There is apparently a default check in Java to make sure that the SSL
certificate Common Name (CN) matches that of the https:// URL hostname
when making an SSL-based web call.  Metro does not disable that
check[1], instead it provides its users a standard workaround during
development, etc., should they wish to use "localhost" or similar
temporarily within the https:// URL.  That same documentation section
also emphasizes removing that workaround once you are in production.

AFAICT Apache CXF *is* shutting off that check[2] and supposedly
deferring it to MessageTrustDecider[3] (where it can be subsequently
attached in the cxf.xml file), but if the user does not implement a
MessageTrustDecider and manually check this value himself it will never
end up being made[4].  Even assuming a user is aware of this check being
disabled, most of them probably have never heard of the CXF-only
MessageTrustDecider, and so IMO it would be a bit too much to ask them
to create this object in order to reactivate that check.

If I'm correct here, I think we should reinstate the CN check by
default, but provide users a cxf.xml client configuration setting that
disables that check if desired.  I wouldn't have a problem with us using
"disabled by default" if that were the Java language default, but it
isn't, and so I think it should be reinstated for the benefit of newbies
as well as more advanced users who might not be aware that we disabled
this check to begin with.



[2] (line 155-177, 215)
[4] (lines 637-645)

View raw message