cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2688) Allow deactivation of SSL X509 Certificates validation
Date Wed, 03 Mar 2010 16:36:27 GMT

    [ https://issues.apache.org/jira/browse/CXF-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12840719#action_12840719
] 

Glen Mazza commented on CXF-2688:
---------------------------------

I disagree heavily with this change--it is a dangerous setting that if not forgotten to be
disabled, can create severe security problems with clients and services using CXF, causing
the CXF product to look very bad.  Neither Metro nor Axis2 provide this either.  

Hence, I'm VETOing it (-1) until at least a couple of other CXF team members speak in support
of it.  Then, I'll happily yield.  Sorry--I just need more than one committer to speak on
behalf of this change.

The argument given for this, namely that  "it can be painful to invoke services with self-signed
certificates on non-production environments" is a complete joke.  Using self-signed certs
is a piece of cake as I've shown for HTTPS[1] and also WS-Security w/X509 token profile[2].

Further, if you cannot use HTTPS for any reason, just downgrade to HTTP until you can.  "But
I want to use HTTP although have the HTTPS protocol visible!!!" is not a use case that CXF
should be supporting.

All this change is saying is "Because of political issues with my present project (and/or
laziness on my end in needing to learn how to use self-signed certs), it would be helpful
for me if CXF had the ability to falsely misrepresent that it is using HTTPS when it is actually
using HTTP".  For the protection of the CXF product, that is not something we should be supporting.

[1] http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
[2] http://www.jroller.com/gmazza/entry/cxf_x509_profile


> Allow deactivation of SSL X509 Certificates validation
> ------------------------------------------------------
>
>                 Key: CXF-2688
>                 URL: https://issues.apache.org/jira/browse/CXF-2688
>             Project: CXF
>          Issue Type: New Feature
>          Components: Transports
>    Affects Versions: 2.2.6
>            Reporter: Cyrille Le Clerc
>            Assignee: Cyrille Le Clerc
>             Fix For: 2.2.7
>
>         Attachments: CXF-2688.diff
>
>
> CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable hostname
verification ({{<http-conf:tlsClientParameters disableCNCheck="true" />}}) but does
not allow to disable X509 certificates checking.
> Due to this, it can be painful to invoke services with self-signed certificates on non-production
environments (see sample stacktrace below).
> Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS) clients
:
> * Add boolean attribute {{trustAllCertificates}} to {{<http-conf:tlsClientParameters
... />}},
> * In the {{HTTPConduit}}, if {{trustAllCertificates="true"}}, the {{HttpsURLConnectionFactory}}
will use an 'accept all certificates' {{javax.net.ssl.X509TrustManager}} and an 'accept all'
{{javax.net.ssl.HostnameVerifier}}.
> *Note* : this proposal adds an attribute {{trustAllCertificates}} to the {{TLSClientParametersType}}
complex type and thus *this proposal requires to publish a new 'backward compatible' [http://cxf.apache.org/schemas/configuration/security.xsd]*.

> Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS service:
> {code:xml}
> <jaxws:client id="helloWorldServiceClient"
>    serviceClass="com.example.HelloWorldService"
>    address="https://example.com/services/helloWorldService">
> </jaxws:client>
> <http-conf:conduit name="{http://example.com/}HelloWorldServicePort.http-conduit">
>    <!-- trust all certificates (self signed certificates, etc) -->
>    <http-conf:tlsClientParameters trustAllCertificates="true" />
>    
>    <http-conf:authorization>
>       <security:UserName>my-user-name</security:UserName>
>       <security:Password>my-password</security:Password>
>    </http-conf:authorization>
> </http-conf:conduit>
> {code}
> CXF client exception's stacktrace with a self-signe certificate: 
> {noformat}
> 2010/03/01 22:05:23,682  WARN [http-8080-1] org.apache.cxf.phase.PhaseInterceptorChain
- Interceptor for 
> {http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has thrown exception,
unwinding now
> org.apache.cxf.interceptor.Fault: Could not send Message.
> 	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
> 	...
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> 	at $Proxy69.sayHi(Unknown Source)
> 	...
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
> 	...
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
> 	...
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> 	...
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message