cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose María Zaragoza <demablo...@gmail.com>
Subject Re: Check SSL server certificate
Date Fri, 27 Feb 2015 07:37:14 GMT
2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org>:
> I did a quick test using CXF's WebClient doing a "GET" on
> https://www.google.com. It works fine when you don't specify any
> TLSClientParameters as expected, as it picks up the default cacerts.
> However, when I added the following it fails (also as expected):
>
>  <http:conduit name="https://.*">
>       <http:tlsClientParameters disableCNCheck="true">
>         <sec:trustManagers>
>           <sec:keyStore type="jks" password="cspass"
> resource="clientstore.jks"/>
>         </sec:trustManagers>
>       </http:tlsClientParameters>
>    </http:conduit>
>
> Colm.

OK. That's right.
But , if you import Google certificate into clientstore.jks but you
don't import its CA certificate ( GeoTrust CA , in this case ), should
it fail ? This is my question
I don't know what is the validation path that JSSE follows

Regards



>
> On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <demablogia@gmail.com>
> wrote:
>
>> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com>:
>> > What I meant is that you do use a self signed cert to sign a previously
>> > generated certificate but do not import this self signed cert into the
>> > truststore which would emulate the same situation you have now without
>> > having to provide a test where well known providers sign a given server
>> > certificate.
>>
>> OK
>> I'll try it
>>
>> Thanks
>>
>> >
>> > Sergey
>> >
>> >
>> >
>> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >>
>> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <sberyozkin@gmail.com>:
>> >>>
>> >>> Hi
>> >>>
>> >>> I guess this is what Colm is implying, that the actual problem that
it
>> >>> does
>> >>> work.
>> >>> Can it be reproduced by a given server certificate with a self-signed
>> >>> certificate validating it ?
>> >>
>> >>
>> >>
>> >> Well, I don't have a testcase right now. I'll try to reproduce it .
>> >>
>> >> With a self signed certificate , the behaviour also is the same
>> >> But that makes sense ( for me ) , because your CA is yourself, so you
>> >> could trust on it ( if the certificate is imported into your keystore
>> >> )
>> >>
>> >> Regards
>> >>
>> >>
>> >>>
>> >>> Cheers, Sergey
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >>>>
>> >>>>
>> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org>:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> It does, but only if no truststore has been configured in CXF.
Do you
>> >>>>> have a
>> >>>>> test-case that reproduces this problem?
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> Thanks, not really
>> >>>> Indeed, it's not a problem because my client works fine , but I
cannot
>> >>>> understand why. I only imported the server certificate, no the others
>> >>>> in chain
>> >>>>
>> >>>> As I don't know how the underlying certificate validation is performed
>> >>>> , I don't know if this behaviour is caused by default settings in
CXF
>> >>>> or another reason.
>> >>>>
>> >>>> Regards
>> >>>>
>> >>>>
>> >>>>>
>> >>>>> Colm.
>> >>>>>
>> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >>>>> <demablogia@gmail.com>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> You are using "keyManagers" instead of "trustManagers"
in the
>> >>>>>>> configuration. "keyManagers" is used when you need to
specify a key
>> >>>>>>> for
>> >>>>>>> client authentication. "trustManagers" is used to verify
trust in
>> the
>> >>>>>>> server's cert. As you have no "trustManagers" configuration
here, I
>> >>>>>>> guess
>> >>>>>>> it is falling back on the default JVM settings
>> >>>>>>> (javax.net.ssl.trustStore)
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >>>>>>
>> >>>>>> <sec:trustManagers>
>> >>>>>>                 <sec:keyStore type="JKS" password="*******"
>> >>>>>> resource="truststore.jks"/>
>> >>>>>>             </sec:trustManagers>
>> >>>>>> <sec:cipherSuitesFilter>
>> >>>>>>
>> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> implementation )
>> >>>>>> uses default JVM truststore for checking certificates ?
>> >>>>>>
>> >>>>>> Thanks
>> >>>>>>
>> >>>>>>>
>> >>>>>>> Colm.
>> >>>>>>>
>> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >>>>>>> <demablogia@gmail.com>
>> >>>>>>> wrote:
>> >>>>>>>
>> >>>>>>>> Hello:
>> >>>>>>>>
>> >>>>>>>> Maybe this question a bit off topic , but I try
to understand why
>> my
>> >>>>>>>> client works.
>> >>>>>>>>
>> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS
(SSL /TLS)
>> >>>>>>>> This is my settings:
>> >>>>>>>>
>> >>>>>>>> <http-conf:conduit name="https://.*">
>> >>>>>>>>     <http-conf:tlsClientParameters>
>> >>>>>>>>     <sec:keyManagers keyPassword="xxxxxxxx">
>> >>>>>>>>           <sec:keyStore type="JKS" password="xxxxxxxx"
>> >>>>>>>> resource="truststore.jks"/>
>> >>>>>>>>      </sec:keyManagers>
>> >>>>>>>>
>> >>>>>>>> I've imported SSL server certificate into truststore.jks
>> >>>>>>>> And it works fine.
>> >>>>>>>>
>> >>>>>>>> But this certificate is signed by a CA chain ( from
.godaddy.com)
>> ,
>> >>>>>>>> and ( I think ) I don't have imported any certificate
from godaddy
>> >>>>>>>> Why does my client trust in the server certificate
?
>> >>>>>>>> Is not  performed some Certification Path Validation
process ?
>> >>>>>>>>
>> >>>>>>>> Thanks and regards
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Colm O hEigeartaigh
>> >>>>>>>
>> >>>>>>> Talend Community Coder
>> >>>>>>> http://coders.talend.com
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Colm O hEigeartaigh
>> >>>>>
>> >>>>> Talend Community Coder
>> >>>>> http://coders.talend.com
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Sergey Beryozkin
>> >>>
>> >>> Talend Community Coders
>> >>> http://coders.talend.com/
>> >>>
>> >>> Blog: http://sberyozkin.blogspot.com
>> >
>> >
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com

Mime
View raw message