cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Tarr (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6944) cacerts is loaded while different truststore is specified
Date Fri, 17 Jun 2016 12:25:05 GMT

     [ https://issues.apache.org/jira/browse/CXF-6944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Tarr updated CXF-6944:
----------------------------
    Description: 
It seems cxf still loads the cacerts eventhough a different truststore is specified (programmatically
- not via cxf.xml). Could this potentially load to a security-risk?

When I movethe trusted key from the different truststore to cacerts, the server is not trusted
and the handshake fails. But I have not investigated any further.

{noformat}
2016-06-17 13:45:21,213 INFO  [main] spring.BusApplicationContext  - Loaded configuration
file cxf.xml.
2016-06-17 13:45:21,213 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  -
Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
2016-06-17 13:45:21,322 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  -
Loading XML bean definitions from class path resource [cxf.xml]
2016-06-17 13:45:21,793 INFO  [main] factory.ReflectionServiceFactoryBean  - Creating Service
{http://www........com/.........}.... from class .............
keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
...
{noformat}



  was:
It seems cxf still loads the cacerts eventhough a different truststore is specified (programmatically
- not via cxf.xml). Could this potentially load to a security-risk?

When I remove the trusted key from the different truststore, the server is not trusted and
the handshake fails. 

{noformat}
2016-06-17 13:45:21,213 INFO  [main] spring.BusApplicationContext  - Loaded configuration
file cxf.xml.
2016-06-17 13:45:21,213 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  -
Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
2016-06-17 13:45:21,322 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  -
Loading XML bean definitions from class path resource [cxf.xml]
2016-06-17 13:45:21,793 INFO  [main] factory.ReflectionServiceFactoryBean  - Creating Service
{http://www.quinity.com/qis/soap/coveragedecisionservice}CoverageDecisionServiceService from
class com.quinity.qis.soap.coveragedecisionservice.CoverageDecisionService
keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
...
{noformat}




> cacerts is loaded while different truststore is specified
> ---------------------------------------------------------
>
>                 Key: CXF-6944
>                 URL: https://issues.apache.org/jira/browse/CXF-6944
>             Project: CXF
>          Issue Type: Improvement
>          Components: Transports
>    Affects Versions: 2.7.18
>            Reporter: David Tarr
>            Priority: Minor
>
> It seems cxf still loads the cacerts eventhough a different truststore is specified (programmatically
- not via cxf.xml). Could this potentially load to a security-risk?
> When I movethe trusted key from the different truststore to cacerts, the server is not
trusted and the handshake fails. But I have not investigated any further.
> {noformat}
> 2016-06-17 13:45:21,213 INFO  [main] spring.BusApplicationContext  - Loaded configuration
file cxf.xml.
> 2016-06-17 13:45:21,213 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader
 - Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
> 2016-06-17 13:45:21,322 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader
 - Loading XML bean definitions from class path resource [cxf.xml]
> 2016-06-17 13:45:21,793 INFO  [main] factory.ReflectionServiceFactoryBean  - Creating
Service {http://www........com/.........}.... from class .............
> keyStore is : 
> keyStore type is : jks
> keyStore provider is : 
> init keystore
> init keymanager of type SunX509
> trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is : 
> init truststore
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message