cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Check SSL server certificate
Date Thu, 26 Feb 2015 17:09:06 GMT
Hi

I guess this is what Colm is implying, that the actual problem that it 
does work.
Can it be reproduced by a given server certificate with a self-signed 
certificate validating it ?

Cheers, Sergey



On 26/02/15 16:55, Jose María Zaragoza wrote:
> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org>:
>>
>> It does, but only if no truststore has been configured in CXF. Do you have a
>> test-case that reproduces this problem?
>
>
> Thanks, not really
> Indeed, it's not a problem because my client works fine , but I cannot
> understand why. I only imported the server certificate, no the others
> in chain
>
> As I don't know how the underlying certificate validation is performed
> , I don't know if this behaviour is caused by default settings in CXF
> or another reason.
>
> Regards
>
>
>>
>> Colm.
>>
>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza <demablogia@gmail.com>
>> wrote:
>>>
>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org>:
>>>> You are using "keyManagers" instead of "trustManagers" in the
>>>> configuration. "keyManagers" is used when you need to specify a key for
>>>> client authentication. "trustManagers" is used to verify trust in the
>>>> server's cert. As you have no "trustManagers" configuration here, I
>>>> guess
>>>> it is falling back on the default JVM settings
>>>> (javax.net.ssl.trustStore)
>>>
>>> Sorry, it was a typo. I'm using trustManagers
>>>
>>> <sec:trustManagers>
>>>                <sec:keyStore type="JKS" password="*******"
>>> resource="truststore.jks"/>
>>>            </sec:trustManagers>
>>> <sec:cipherSuitesFilter>
>>>
>>> Do you know if JSSE ( I guess it's the underlying TLS implementation )
>>> uses default JVM truststore for checking certificates ?
>>>
>>> Thanks
>>>
>>>>
>>>> Colm.
>>>>
>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>>>> <demablogia@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello:
>>>>>
>>>>> Maybe this question a bit off topic , but I try to understand why my
>>>>> client works.
>>>>>
>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
>>>>> This is my settings:
>>>>>
>>>>> <http-conf:conduit name="https://.*">
>>>>>    <http-conf:tlsClientParameters>
>>>>>    <sec:keyManagers keyPassword="xxxxxxxx">
>>>>>          <sec:keyStore type="JKS" password="xxxxxxxx"
>>>>> resource="truststore.jks"/>
>>>>>     </sec:keyManagers>
>>>>>
>>>>> I've imported SSL server certificate into truststore.jks
>>>>> And it works fine.
>>>>>
>>>>> But this certificate is signed by a CA chain ( from .godaddy.com)  ,
>>>>> and ( I think ) I don't have imported any certificate from godaddy
>>>>> Why does my client trust in the server certificate ?
>>>>> Is not  performed some Certification Path Validation process ?
>>>>>
>>>>> Thanks and regards
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Colm O hEigeartaigh
>>>>
>>>> Talend Community Coder
>>>> http://coders.talend.com
>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message