[jira] Commented: (CXF-1549) Let TLSClientParameters take an SSLSocketFactory

Fri, 25 Apr 2008 09:29:31 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592430#action_12592430
 ] 

Julius Davies commented on CXF-1549:
------------------------------------

In my opinion the customization of the SSLSocketFactory through 
not-yet-commons-ssl is superior.  Users need to write much less code to 
customize the SSL as they want it.   (In particular, notice how the client cert 
can come from an OpenSSL style key + cert pair in PEM.)


Here's everything that's currently customizable in not-yet-commons-ssl:


KeyMaterial opensslKey = new KeyMaterial("key.pem", "cert.pem", new 
char[]{'p','a','s','s'});
KeyMaterial javaKey = new KeyMaterial("keystore.jks", new 
char[]{'p','a','s','s'});
TrustMaterial trust = new TrustMaterial("another-cert.pem");

SSLClient client = new SSLClient();

// Key and trust so central to SSL:
client.setKeyMaterial(opensslKey);
client.setTrustMaterial(TrustMaterial.CACERTS);
client.addTrustMaterial(trust);  // let's trust one additional cert

// Protocol stuff
client.setDefaultProtocol("TLS");
client.setEnabledProtocols(new String[]{"TLSv1", "SSLv3", "SSLv2Hello"});
client.setEnabledCiphers(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
client.setUseClientMode(true);
client.setNeedClientAuth(false);  // For weird situation where SSLServer 
initiates the connection.

// How easy-going are we?
client.setCheckCRL(true);
client.setCheckExpiry(true);
client.setCheckHostname(true);
client.setHostnameVerifier(HostnameVerifier.STRICT_IE6);

// Timeouts
client.setConnectTimeout(10000);
client.setSoTimeout(30000);

return (javax.net.ssl.SSLSocketFactory) client;


By accepting this patch, users could now go this route.  Or they can still 
decorate the SSL using the standard CXF way, but this does give users the 
choice, and ultimately a lot more flexibility if they need it.

In a future  version we're going to add:

client.setCheckOCSP(true);


> Let TLSClientParameters take an SSLSocketFactory
> ------------------------------------------------
>
>                 Key: CXF-1549
>                 URL: https://issues.apache.org/jira/browse/CXF-1549
>             Project: CXF
>          Issue Type: Improvement
>          Components: Transports
>            Reporter: Julius Davies
>            Priority: Trivial
>         Attachments: cxf-1549-1st-draft.patch
>
>
> Let TLSClientParameters take an SSLSocketFactory so that people using 
> not-yet-commons-ssl.jar, or others who know what they're doing, can set their 
> own SSLSocketFactory for https transport.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to