Return-Path: 
 <cxf-dev-return-5801-apmail-incubator-cxf-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-cxf-dev-archive@locus.apache.org
Received: (qmail 32337 invoked from network); 27 Mar 2008 03:20:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 27 Mar 2008 03:20:57 -0000
Received: (qmail 26326 invoked by uid 500); 27 Mar 2008 03:20:56 -0000
Delivered-To: apmail-incubator-cxf-dev-archive@incubator.apache.org
Received: (qmail 26286 invoked by uid 500); 27 Mar 2008 03:20:56 -0000
Mailing-List: contact cxf-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:cxf-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:cxf-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:cxf-dev@incubator.apache.org>
List-Id: <cxf-dev.incubator.apache.org>
Reply-To: cxf-dev@incubator.apache.org
Delivered-To: mailing list cxf-dev@incubator.apache.org
Received: (qmail 26274 invoked by uid 99); 27 Mar 2008 03:20:56 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Mar 2008 20:20:56 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [64.79.199.57] (HELO server.dankulp.com) (64.79.199.57)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Mar 2008 03:20:13 +0000
Received: by server.dankulp.com (Postfix, from userid 5000)
	id 2F368197C473; Wed, 26 Mar 2008 23:20:24 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on server.dankulp.com
X-Spam-Level: 
X-Msg-File: /tmp/mailfilter.XXXXOnyXLQ
Received: from dilbert.hsd1.ma.comcast.net
 (c-24-147-10-180.hsd1.ma.comcast.net [24.147.10.180])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by server.dankulp.com (Postfix) with ESMTP id B373D197C473;
	Wed, 26 Mar 2008 23:20:21 -0400 (EDT)
From: Daniel Kulp <dkulp@apache.org>
To: cxf-dev@incubator.apache.org
Subject: Re: Reactivate the SSL certificate CN = https URL hostname check?
Date: Wed, 26 Mar 2008 23:20:20 -0400
User-Agent: KMail/1.9.7
Cc: Glen Mazza <glen.mazza@verizon.net>
References: <1206522777.11634.3.camel@gmazza-desktop>
 <1206586878.32725.7.camel@gmazza-desktop>
In-Reply-To: <1206586878.32725.7.camel@gmazza-desktop>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200803262320.20500.dkulp@apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
X-Old-Spam-Status: No, score=0.3 required=3.0 tests=BAYES_00,RCVD_IN_PBL,
	RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4

On Wednesday 26 March 2008, Glen Mazza wrote:
> If no objections, I'll be proceeding on adding a client parameter to
> turn off the CN checking, and reactivating the CN check as the
> default.

That all makes sense to me, but I won't even pretent to understand all 
the security implications and stuff of the https settings.   :-)

Dan


>
> Glen
>
> Am Mittwoch, den 26.03.2008, 05:12 -0400 schrieb Glen Mazza:
> > Team,
> >
> > There is apparently a default check in Java to make sure that the
> > SSL certificate Common Name (CN) matches that of the https:// URL
> > hostname when making an SSL-based web call.  Metro does not disable
> > that check[1], instead it provides its users a standard workaround
> > during development, etc., should they wish to use "localhost" or
> > similar temporarily within the https:// URL.  That same
> > documentation section also emphasizes removing that workaround once
> > you are in production.
> >
> > AFAICT Apache CXF *is* shutting off that check[2] and supposedly
> > deferring it to MessageTrustDecider[3] (where it can be subsequently
> > attached in the cxf.xml file), but if the user does not implement a
> > MessageTrustDecider and manually check this value himself it will
> > never end up being made[4].  Even assuming a user is aware of this
> > check being disabled, most of them probably have never heard of the
> > CXF-only MessageTrustDecider, and so IMO it would be a bit too much
> > to ask them to create this object in order to reactivate that check.
> >
> > If I'm correct here, I think we should reinstate the CN check by
> > default, but provide users a cxf.xml client configuration setting
> > that disables that check if desired.  I wouldn't have a problem with
> > us using "disabled by default" if that were the Java language
> > default, but it isn't, and so I think it should be reinstated for
> > the benefit of newbies as well as more advanced users who might not
> > be aware that we disabled this check to begin with.
> >
> > Thoughts?
> >
> > Regards,
> > Glen
> >
> >
> > [1]
> > https://metro.dev.java.net/guide/Security_Mechanisms.html#Transport_
> >Security__SSL__Workaround [2] http://tinyurl.com/2el54h (line
> > 155-177, 215)
> > [3] http://tinyurl.com/yt54uq
> > [4] http://tinyurl.com/2h3a4r (lines 637-645)



-- 
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog