Hi Vivian, Please find my comment inline: On Wed, Oct 29, 2008 at 11:44 PM, Vivian Wang <[EMAIL PROTECTED]>wrote:
So is there an option in axis2/c that I can turn off the certificate > validation? No we don't support that at the moment. > I think this is important because from a client point of view, lots of > times when I want to access a web service under SSL using https://.. I > know that is the site I want to go. Yes web browsers do support that, but in reality you don't know if that truly is the site that you want to access, if you don't have the server's certificate beforehand. (someone can spoof dns and appear themselves as https://foo.com). Yes I have neglected about well known Certificate Authorities for simplicity. If you trust the CA that issued the server cert, all you need is the CA's certificate. > And just like you said, browsers will ask you if you want to trust the site > and I can say yes or no.It would also be very inconvenient for a client to > have to get the certificate from a service provide (they may not give you). Anyway, if it is only for testing, what you can do is to follow the Axis2/C manual and retrieve the server cert from the server. [1] (refer to sec. 13.1.2 Configuration). Well you can do this even if it was not for testing, but it is not recommended to do so. Thanks, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client
