Return-Path: 
 <dev-return-5988-apmail-cxf-dev-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-dev-archive@www.apache.org
Received: (qmail 37563 invoked from network); 24 Apr 2008 21:09:51 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 24 Apr 2008 21:09:51 -0000
Received: (qmail 13411 invoked by uid 500); 24 Apr 2008 21:09:47 -0000
Delivered-To: apmail-cxf-dev-archive@cxf.apache.org
Received: (qmail 13174 invoked by uid 500); 24 Apr 2008 21:09:46 -0000
Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cxf.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cxf.apache.org>
List-Post: <mailto:dev@cxf.apache.org>
List-Id: <dev.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list dev@cxf.apache.org
Received: (qmail 13163 invoked by uid 99); 24 Apr 2008 21:09:46 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Apr 2008 14:09:46 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [64.79.199.57] (HELO server.dankulp.com) (64.79.199.57)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Apr 2008 21:08:50 +0000
Received: by server.dankulp.com (Postfix, from userid 5000)
	id DCDB1197C030; Thu, 24 Apr 2008 17:09:09 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on server.dankulp.com
X-Spam-Level: 
X-Msg-File: /tmp/mailfilter.snuJZLexzF
Received: from dilbert.hsd1.ma.comcast.net
 (c-24-147-10-180.hsd1.ma.comcast.net [24.147.10.180])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by server.dankulp.com (Postfix) with ESMTP id 5BF09197C00E;
	Thu, 24 Apr 2008 17:09:08 -0400 (EDT)
From: Daniel Kulp <dkulp@apache.org>
To: "Julius Davies" <juliusdavies@gmail.com>
Subject: Re: a solution for ssl client via java code
Date: Thu, 24 Apr 2008 17:09:06 -0400
User-Agent: KMail/1.9.7
Cc: "sudip shrestha" <sudipx@gmail.com>,
 dev@cxf.apache.org
References: <565179e00804240916v7e1c9567l92cba9c496d0bd02@mail.gmail.com>
 <598ad5b50804241003u235af960iac12dc4306fc6cbb@mail.gmail.com>
In-Reply-To: <598ad5b50804241003u235af960iac12dc4306fc6cbb@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200804241709.07114.dkulp@apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
X-Old-Spam-Status: No, score=0.3 required=3.0 tests=BAYES_00,RCVD_IN_PBL,
	RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4


Flipping to dev@cxf.apache.org....


I'm definitely open to this idea.  Feel free to log a jira and attach a 
patch.   I may have Fred look at it a bit before applying it, but I 
think the idea has some merits.  Certainly may be easier to configure 
some security stuff if they user is very familliar with JSSE  and the 
SSLSocketFactory stuff instead of the CXF apis.

Dan



On Thursday 24 April 2008, Julius Davies wrote:
> If I succeed at subscribing, I'd like to mention two things:
>
> #1.  Just some minor editing to Sudip's great instructions.
>
> #2.  Things would be easier if TLSClientParameters could include
> setSSLSocketFactory/getSSLSocketFactory.  That way people could do
> this:
>
> // Just a sub-class of javax.net.ssl.SSLSocketFactory
> SSLClient client = new SSLClient();
> client.addTrustMaterial( TrustMaterial.DEFAULT );
> client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem"
> ) ); // To be different, let's allow for expired certificates (not
> recommended). client.setCheckHostname( true );  // default setting is
> "true" for SSLClient client.setCheckExpiry( false );   // default
> setting is "true" for SSLClient client.setCheckCRL( true );       //
> default setting is "true" for SSLClient
>
> // This method doesn't exist yet, but if people are interested, I'll
> send a patch.
> tlsClientParameters.setSSLSocketFactory(client);
>
>
> CXF wouldn't need to know anything about not-yet-commons-ssl, because
> org.apache.commons.ssl.SSLClient is a subclass of
> javax.net.ssl.SSLSocketFactory!
>
>
> Would CXF be interested in a patch like that?  Other fancy libraries
> that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would
> also benefit.
>
> (This should probably be sent to dev, not users - now people searching
> through google are going to start complaining that the
> tlsClientParameters.setSSLSocketFactory() method is missing!)
>
> yours,
>
> Julius
>
> On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <sudipx@gmail.com> 
wrote:
> > I have worked with the developer, Julius Davies
> > (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution
> > which he currently refers to "not-yet-commons-ssl" to work out a
> > very simple and resuable solution to develop a java client for ssl
> > based connetions.  This library encapsulates all the internal ssl
> > connections details.  I am posting this for the benefit of those who
> > are trying to develop a client without spring.
> >
> > 1. First download the commons-ssl library from
> > http://juliusdavies.ca/commons-ssl/download.html and extract the
> > .jar file, then run the following command:
> > java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm
> > /yourPathTo/host.crt
> >
> > 2. Then copy the section between -----BEGIN CERTIFICATE----- and
> > -----END CERTIFICATE----- and put it in a Certificate.java file or
> > whichever way you prefer.
> >
> > Then I have provided the code below:
> > 3. Client Code:
> >                 JaxWsProxyFactoryBean factory = new
> > JaxWsProxyFactoryBean(); factory.setServiceClass( HelloWorld.class
> > ); factory.setAddress( "https://localhost/services/HelloWorld" );
> >                  HelloWorld port = (HelloWorld) factory.create();
> >
> >                 Client client = ClientProxy.getClient( port );
> >                 HTTPConduit httpConduit = (HTTPConduit)
> > client.getConduit(); TLSClientParameters tlsParams = new
> > TLSClientParameters(); tlsParams.setSecureSocketProtocol("SSL");
> >                 FiltersType filters = new FiltersType();
> >                
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5");
> > filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA");
> > tlsParams.setCipherSuitesFilter(filters);
> >
> >
> >                 tlsParams.setTrustManagers( getTrustManagers() );
> > //<<=====================from step 4.
> >                 httpConduit.setTlsClientParameters(tlsParams);
> >
> >
> > 4. getTrustManagers function:
> >
> > private TrustManager[] getTrustManagers()
> >                 throws java.security.NoSuchAlgorithmException,
> > java.security.KeyStoreException, java.io.IOException,
> > java.security.GeneralSecurityException
> >         {
> >                 byte[] pemCert = Certificates.pemCert_localhost;
> > //<<===========comes from your Certificate.java file where you would
> > store the cert content from step 2.
> >
> >                 TrustChain tc = new TrustChain();
> >                 tc.addTrustMaterial( new TrustMaterial( pemCert ) );
> >                 tc.addTrustMaterial( TrustMaterial.CACERTS );
> >                 return ( TrustManager[] )tc.getTrustManagers();
> >          }



-- 
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog