cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arundel, Donal" <donal.arun...@iona.com>
Subject RE: how to let cxf client accept all/any certificates
Date Thu, 21 Feb 2008 15:13:36 GMT
Maybe try looking at the CXF demos - there is a WSDL first HTTPs demo
there.
Normally the CXF SSL trust information is specified through the spring
config.

>Also what if server ca is self-assigned, how to handle in this case?

Generally a CA being self-signed doesn't make any difference to you,
it is actually the simplest CA case.
Please note that a CAs certificate is fundamentally different 
to an applications certificate. i.e. There is no such thing as a
self-signed application cert.

So, a self-signed CA that signed a cert request for a server to create a
server certificate would simply mean that the chain length associated
with the servers certificate is 2.

If you are not using self-signed certificates then you are dealing with
CA chains in that a specific subordinate CA may be signed by a parent
CA.
If you only want to accept certificates issued by the subordinate CA
then only specify that CA as trusted, for all practical purposes this is
almost identical to using a self signed CA as mentioned above.
NB: Don't specify the parent CA (which itself may or may not be a
self-signed CA) unless you really do want to trust all certificates
issued by all CAs that the parent CA has signed.
Additionally, if you were to do this you would have to enable support
for cert-chaining in your applications to allow them to accept
application cert chains greater than length 2.
There are additional complexities with enabling cert chaining that I
wont go into now, but it sounds like you don't need to support chain
lengths greater than 2.

It might be an idea to have read up on the Java keytool and JSSE docs to
get an overview of the area?
There also are some excellent diagnostic and key/cert related utilities
(albeit C executables) available at www.openssl.org.
Specifically I find the openssl s_client and s_server utilties answer
almost all SSL diagnostic questions once you get familiar with them.
However they don't support the Java language proprietary Keytool JKS
format,
you would need to convert to PEM format.
While the openssl runtime proper does support PKCS#12 format, I don't
think they have updated the standalone utilities yet to support the
PKCS#12 from the command line.
Docs for these utilities are on the openssl website too.

Cheers,
    Donal    

-----Original Message-----
From: yulinxp [mailto:yulinxp@gmail.com] 
Sent: 21 February 2008 14:07
To: cxf-user@incubator.apache.org
Subject: RE: how to let cxf client accept all/any certificates


how to "configure your client to trust the *Issuing Certificate
Authority*"? Any code example?

Also what if server ca is self-assigned, how to handle in this case?

------------------------------------------------------------------------
----


Arundel, Donal wrote:
> 
> At the SSL protocol level the servers that a client will trust is
> governed by the list of Certificate Authorities (CAs) that the client
is
> configured to trust.
> 
> i.e. You need to configure your client to trust the *Issuing
Certificate
> Authority* that created the specific server certificate concerned.
> 
> At a separate higher level there may be additional level application
> specific constraints that one might want to apply to lock down things
> further to individual server certificates if neccessary.
> e.g. querying the TLS credentials and applying extra constraints on
the
> Subjects Common Name to limit things to a single server.
> 
> Cheers,
>     Donal
> 
> -----Original Message-----
> From: yulinxp [mailto:yulinxp@gmail.com] 
> Sent: 19 February 2008 18:24
> To: cxf-user@incubator.apache.org
> Subject: how to let cxf client accept all/any certificates
> 
> 
> Below is my CXF client which use SSL. I have put server's certificate
in
> my
> client side. 
> How to change it to let it accept all/any certificates from server??
> 
>         QName SERVICE_NAME = new QName("http://spring.demo/",
> "HelloWorldService");        
>         HelloWorldService ss = new HelloWorldService(wsdlURL,
> SERVICE_NAME);
>         HelloWorld port = ss.getHelloWorldPort();  
>         org.apache.cxf.endpoint.Client c =
ClientProxy.getClient(port);
> 
>         HTTPConduit httpConduit = (HTTPConduit) c.getConduit();

>         TLSClientParameters tlsParams = new TLSClientParameters();
>         tlsParams.setSecureSocketProtocol("SSL");
>         try {
>             tlsParams.setKeyManagers(getKeyManagers());
>             tlsParams.setTrustManagers(getTrustManagers());
>         } catch (IOException e) {
>         	e.printStackTrace();
>         }       
>         httpConduit.setTlsClientParameters(tlsParams); 
> -- 
> View this message in context:
>
http://www.nabble.com/how-to-let-cxf-client-accept-all-any-certificates-
> tp15562373p15562373.html
> Sent from the cxf-user mailing list archive at Nabble.com.
> 
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
> 
> 

-- 
View this message in context:
http://www.nabble.com/how-to-let-cxf-client-accept-all-any-certificates-
tp15562373p15612155.html
Sent from the cxf-user mailing list archive at Nabble.com.

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

Mime
View raw message