cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: Custom KeyManager and TrustManager in TLS/SSL configuration
Date Fri, 10 Sep 2010 19:40:53 GMT

>     <http:tlsClientParameters disableCNCheck="true">
>       <sec:trustManagers>
>           <bean class="MyCustomCertStore" />
>       </sec:trustManagers>

Unfortunately, that won't work with the way we use JAXB beans to model some of 
these things.  The JAXB beans and parsing don't know about the Spring context 
things and such and thus wouldn't be able to handle this.

What MAY work, at least on 2.3/trunk would be to add a "ref" attribute or 
similar so:

<sec:trustManagers ref="MyCustomCertStore"/>

that we then lookup that bean by name from the context when needed.   If you 
want to pursue that approach, I'd be happy to provide pointers to where to 


On Thursday 09 September 2010 9:32:38 am Juan José Vázquez Delgado wrote:
> Hi,
> Currently I'm working in a web service client that has to deal with
> authentication based on X509 certificates. Unfortunately, we don't
> have file-based certificates, i.e. PKCS12 or JKS, but they are
> embedded in smart cards.
> Taking the Spring-based SSL configuration into account, how can we
> configure our custom KeyManager and TrustManager?. It would be enough
> with custom keyStore and certStore implementations?. It would be OK a
> configuration like this?:
>   <http:conduit name="{........}Service.http-conduit">
>     <http:tlsClientParameters disableCNCheck="true">
>       <sec:trustManagers>
>           <bean class="MyCustomCertStore" />
>       </sec:trustManagers>
>       <sec:keyManagers>
>           <bean class="myCustomKeyStore" />
>       </sec:keyManagers>
>       <sec:cipherSuitesFilter>
>         <!-- these filters ensure that a ciphersuite with
>           export-suitable or null encryption is used,
>           but exclude anonymous Diffie-Hellman key change as
>           this is vulnerable to man-in-the-middle attacks -->
>         <sec:include>.*_EXPORT_.*</sec:include>
>         <sec:include>.*_EXPORT1024_.*</sec:include>
>         <sec:include>.*_WITH_DES_.*</sec:include>
>         <sec:include>.*_WITH_NULL_.*</sec:include>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
>       </sec:cipherSuitesFilter>
>     </http:tlsClientParameters>
>    </http:conduit>
> Any suggestions will be appreciate. Thanks in advance,
> Juanjo.

Daniel Kulp

View raw message