Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 813AB11F85 for ; Fri, 12 Sep 2014 16:58:16 +0000 (UTC) Received: (qmail 6786 invoked by uid 500); 12 Sep 2014 16:58:16 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 6737 invoked by uid 500); 12 Sep 2014 16:58:16 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 6723 invoked by uid 99); 12 Sep 2014 16:58:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Sep 2014 16:58:15 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elakito@gmail.com designates 209.85.215.41 as permitted sender) Received: from [209.85.215.41] (HELO mail-la0-f41.google.com) (209.85.215.41) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Sep 2014 16:57:49 +0000 Received: by mail-la0-f41.google.com with SMTP id s18so1344081lam.28 for ; Fri, 12 Sep 2014 09:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=eYcOCnXSZq0BkAD1YDT3lMECsyT8EHA8oQpXy9dWmOc=; b=H3VZDdlfixrbguOczGXWRHtJSgdW0FnZ6GMphMqbTFRRJ/7CKfIJ3iyoabVro3Mr1Q 1X60tI1PXCy7VDQzbJPYbHhtn74go2+65MsRVGOBjG8lRr0kQ9DiEUnWWROhtnpEjWq6 pEgRW6xqi0xtmuvF50oGiLV5V5ul4IJgRhszwhkcrzDvfzzrjjFVigQyyvvtTt7yfWn7 nNFpMNOAqCvz6UDRCfcd3rl4pDhgisoFYX7BPtD3eUJVmDdaVjw9MHUsk3j7VsS8OhXC 4wN7GK5B+S2v0y/4FC8f1kPX3q+is0LLUpxrJfC/c+TTOGGuBBwX+g91a2vv/hbhCFLJ b6iw== MIME-Version: 1.0 X-Received: by 10.112.17.2 with SMTP id k2mr9883390lbd.28.1410541068766; Fri, 12 Sep 2014 09:57:48 -0700 (PDT) Received: by 10.25.38.138 with HTTP; Fri, 12 Sep 2014 09:57:48 -0700 (PDT) In-Reply-To: References: <93E45CF9F9683B458EC51BFC39F106DD271A950E@DEWDFEMB16B.global.corp.sap> <93E45CF9F9683B458EC51BFC39F106DD271B53FE@DEWDFEMB16B.global.corp.sap> Date: Fri, 12 Sep 2014 18:57:48 +0200 Message-ID: Subject: Re: Problem using OCSP and truststore configuration in the http conduit From: Aki Yoshida To: users@cxf.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org it's fixed with CXF-6000 in 3.1.0, 3.0.2, and 2.7.13. thanks. 2014-09-12 18:29 GMT+02:00 Aki Yoshida : > hi joerg, > umm. you may be right. > I looked at the cxf's code and see that is using KeyManagerFactory's > default for both KeyManager and TrustManager. > TrustManagerFactory's default is in fact PKIX, so if its value is used > for the TrustManager instantiation instead, it should be working. > i'll will verify this. > regards, aki > > 2014-09-12 12:24 GMT+02:00 Kessler, Joerg : >> Hi Aki, >> Yes, that solves the problem. No, I did not configure it for the system = properties trust store access. I assume that activating of OCSP/CRL (using= com.sun.security.enableCRLDP and com.sun.net.ssl.checkRevocation) somehow = changes the default implicitly and CXF is not aware of that. I simply did = not know that you can configure the algorithm (and in case one wants to use= OCSP/CRL you must configure it). I still have some doubts because a user m= ight not expect that he has to configure it and if he does not test it this= security measure does not work although he thinks it is active. >> >> Thanks and best regards, >> >> J=C3=B6rg >> >> -----Original Message----- >> From: Aki Yoshida [mailto:elakito@gmail.com] >> Sent: Freitag, 12. September 2014 00:24 >> To: users@cxf.apache.org >> Subject: Re: Problem using OCSP and truststore configuration in the http= conduit >> >> i'm not sure what needs to be done. So this is just a guess. >> what do you set at the factoryAlgorithm property of your CXF's >> TrustManager configuration? Is it set to PKIX? >> >> >> >> Could it be that you are setting the algorithm explicitly in your >> non-cxf program but not in the cxf's configuration? >> >> 2014-09-08 15:12 GMT+02:00 Kessler, Joerg : >>> Hi, >>> I am testing OCSP together with a CXF WS consumer. I am addressing my o= wn trust store in the http conduit. I created my own CA and a certificate = (localhost) holding the location url of the validation service (on my compu= ter). The scenario is CXF->https://localhost->CXF. OCSP is supported by t= he JDK since Java 5. So I expected no problems. But when sending messages t= he validation url is not called to check the certificate and no error occur= s. I did a lot of experiments and found out that it works when I set the tr= ust store using the system property javax.net.ssl.trustStore instead of the= conduit. I tried to debug the problem and found that com.sun.net.ssl.inte= rnal.ssl.TrustManagerFactoryImpl provides two classes: PKIXFactory and Simp= leFactory. When PKIXFactory was instantiated then it worked (verifier was c= alled), using SimpleFactory it did not work. I could even change the algori= thm in the debugger from 'simple' to 'PKIX' and then it worked. But I was u= nable figure out when and why 'PKIX' or 'simple' is set. I came to the cla= ss javax.net.ssl.TrustManagerFactory->getDefaultAlgorithm() that seems to r= eturn the value somehow. But finally I got stuck. The problem seems to be c= aused by the method how CXF provides the trust store for ssl communication. >>> >>> I can provide two simple tests that demonstrate the problem and should = run on any local environment. One using the system property that fails due = to the missing validation service (verified by the ssl debug trace) and one= using the conduit that is always successful because no validation is call= ed. Both use the same certificate/trust store. >>> >>> Best Regards, >>> >>> J=C3=B6rg >>>