Return-Path: Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: (qmail 5727 invoked from network); 3 Mar 2010 17:56:58 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 3 Mar 2010 17:56:58 -0000 Received: (qmail 20945 invoked by uid 500); 3 Mar 2010 17:56:51 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 20884 invoked by uid 500); 3 Mar 2010 17:56:51 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 20757 invoked by uid 99); 3 Mar 2010 17:56:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Mar 2010 17:56:50 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Mar 2010 17:56:49 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 3E92F234C4C4 for ; Wed, 3 Mar 2010 17:56:27 +0000 (UTC) Message-ID: <2073238854.40571267638987255.JavaMail.jira@brutus.apache.org> Date: Wed, 3 Mar 2010 17:56:27 +0000 (UTC) From: "Glen Mazza (JIRA)" To: issues@cxf.apache.org Subject: [jira] Commented: (CXF-2688) Allow deactivation of SSL X509 Certificates validation In-Reply-To: <359234331.44531267485245836.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CXF-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12840763#action_12840763 ] Glen Mazza commented on CXF-2688: --------------------------------- I just need to have this sanity checked by a couple more CXF committers (there's about 25-30 of us, so that should not be too hard). I do not like this change, but if a couple of others are OK it, it is not worth vetoing. It is beneficial for a product to be robust enough, to have protective mechanisms so that even if total newbie developers work with it, there is little or no security loss that can occur. We don't want people's credit card numbers or other sensitive data to be stolen. The reason for introducing this potential security hole--to help newbies who don't know how to work with self-signed certs--is disconcerting. How sure can we be that such people indeed will remember to set trustAllCertificates back to "false" for production time? If they are not going to learn about certs during development how are they going to learn it production time? Further, should such people who stumble over certificate usage really be programming secure web services to begin with? Glen > Allow deactivation of SSL X509 Certificates validation > ------------------------------------------------------ > > Key: CXF-2688 > URL: https://issues.apache.org/jira/browse/CXF-2688 > Project: CXF > Issue Type: New Feature > Components: Transports > Affects Versions: 2.2.6 > Reporter: Cyrille Le Clerc > Assignee: Cyrille Le Clerc > Fix For: 2.2.7 > > Attachments: CXF-2688.diff > > > CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable hostname verification ({{}}) but does not allow to disable X509 certificates checking. > Due to this, it can be painful to invoke services with self-signed certificates on non-production environments (see sample stacktrace below). > Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS) clients : > * Add boolean attribute {{trustAllCertificates}} to {{}}, > * In the {{HTTPConduit}}, if {{trustAllCertificates="true"}}, the {{HttpsURLConnectionFactory}} will use an 'accept all certificates' {{javax.net.ssl.X509TrustManager}} and an 'accept all' {{javax.net.ssl.HostnameVerifier}}. > *Note* : this proposal adds an attribute {{trustAllCertificates}} to the {{TLSClientParametersType}} complex type and thus *this proposal requires to publish a new 'backward compatible' [http://cxf.apache.org/schemas/configuration/security.xsd]*. > Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS service: > {code:xml} > serviceClass="com.example.HelloWorldService" > address="https://example.com/services/helloWorldService"> > > > > > > > my-user-name > my-password > > > {code} > CXF client exception's stacktrace with a self-signe certificate: > {noformat} > 2010/03/01 22:05:23,682 WARN [http-8080-1] org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for > {http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has thrown exception, unwinding now > org.apache.cxf.interceptor.Fault: Could not send Message. > at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64) > ... > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) > at $Proxy69.sayHi(Unknown Source) > ... > Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > ... > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > ... > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > ... > {noformat} -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.