[CONF] Apache CXF Documentation > TLS Configuration

[Colm O hEigeartaigh (Confluence)]

TLS Configuration Page edited by Colm O hEigeartaigh Changes (2) ... | {{certConstraints}} | | Certificate Constraints specification. | | {{secureRandom}} | JVM default Secure Random | SecureRandom specification. | | {{secureSocketProtocol}} | "TLS" | | Protocol Name. Most common example are "SSL", "TLS" or "TLSv1". | | {{certAlias}} | | Cert alias to use. Useful when keystore has multiple certs. | ... || Attribute || Default || Description || | {{clientAuthentication}} | Not "wanted" or "required" | Allows you to configure whether client authentication is "wanted" and|/or "required. | Full Content TLS Parameters common to both Clients and Servers Client TLS Parameters Server TLS Parameters TLS Parameters common to both Clients and Servers The TLS Parameters common to both Clients and Servers are given here: Attribute Default Description keyManagers JVM default Key Managers Key Managers to hold X509 certificates. trustManagers JVM default Trust Managers TrustManagers to validate peer X509 certificates. jsseProvider JVM default provider associated with protocol JSSE provider name. cipherSuites JVM default cipher suites CipherSuites that will be supported. cipherSuitesFilter   filters of the supported CipherSuites that will be supported and used if available. certConstraints   Certificate Constraints specification. secureRandom JVM default Secure Random SecureRandom specification. secureSocketProtocol "TLS" Protocol Name. Most common example are "SSL", "TLS" or "TLSv1". certAlias   Cert alias to use. Useful when keystore has multiple certs. Client TLS Parameters In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Clients: Attribute Default Description disableCNcheck false Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to true (not recommended for production use), such checks will be bypassed. That will allow you, for example, to use a URL such as localhost during development. sslSocketFactory   A SSLSocketFactory to use. All other bean properties are ignored if this is set. sslCacheTimeout 86400000 milliseconds (24 hours) SSL Cache Timeout in seconds. useHttpsURLConnectionDefaultSslSocketFactory false This attribute specifies if HttpsURLConnection.getDefaultSSLSocketFactory() should be used to create https connections. If 'true', 'jsseProvider', 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 'cipherSuites' and 'cipherSuitesFilter' configuration parameters are ignored. useHttpsURLConnectionDefaultHostnameVerifier false This attribute specifies if HttpsURLConnection.getDefaultHostnameVerifier() should be used to create https connections. If 'true', 'disableCNCheck' configuration parameter is ignored. Note : disableCNcheck is a parameterized boolean, you can use a fixed variable true|false as well as a Spring externalized property variable (e.g. ${disable-https-hostname-verification}) or a Spring _expression_ (e.g. #{systemProperties['dev-mode']}). Sample : HTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc) ... <http-conf:conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"> <!-- deactivate HTTPS url hostname verification (localhost, etc) --> <!-- WARNING ! disableCNcheck=true should NOT be used in production --> <http-conf:tlsClientParameters disableCNcheck="true" /> ... </http-conf:conduit> ... Server TLS Parameters In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Servers: Attribute Default Description clientAuthentication Not "wanted" or "required" Allows you to configure whether client authentication is "wanted" and/or "required. Stop watching space | Change email notification preferences View Online | View Changes | Add Comment