cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pell <ja...@pellcorp.com>
Subject SSL example breaks firefox (no cipher suites in common)
Date Thu, 13 Jan 2011 23:36:02 GMT
Hi,

First of all let me explain my setup.  I am not using mutual authentication.

I have configured a key store on the server side only (no trust store).
I have configured a trust store on the client side.

So I have configured the following in the server spring config for
embedded jetty:

                       <httpj:tlsServerParameters>
				<sec:keyManagers keyPassword="${tls.keystore.password}">
					<sec:keyStore type="JKS" password="${tls.keystore.password}"
file="${tls.keystore.file}" />
				</sec:keyManagers>
				
				<!-- breaks firefox which I would like to have working! -->
				<sec:cipherSuitesFilter>
			        <sec:include>.*_EXPORT_.*</sec:include>
			        <sec:include>.*_EXPORT1024_.*</sec:include>
			        <sec:include>.*_WITH_DES_.*</sec:include>
			        <sec:include>.*_WITH_NULL_.*</sec:include>
			        <sec:exclude>.*_DH_anon_.*</sec:exclude>
			    </sec:cipherSuitesFilter>
			</httpj:tlsServerParameters>

The client was configured with a trust manager only with the same
cipher suite filters.   This ALL WORKS between CXF and CXF no
problems, so thats all good.  It also works nicely between SOAPUI and
Cxf server too.

My only trouble at this point is that if I try and access the WSDL
from Firefox I run into trouble and the logfile on the server reports

javax.net.ssl.SSLHandshakeException: no cipher suites in common

I came across this post, but it suggests its an expected issue which I
think is incorrect as I am not using mutual ssl authentication.
   http://cxf.547215.n5.nabble.com/cxf-server-using-https-td563480.html

If I remove the cipherSuitesFilter from the server config then firefox
works too.  So it appears that we are restricting the ciphers to
something firefox does not support.  Anyone have any ideas or do I
have to live
with this?

Thanks
Jason

Mime
View raw message