[
https://issues.apache.org/jira/browse/CXF-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cyrille Le Clerc updated CXF-2688:
----------------------------------
Attachment: CXF-2688-enhanced-warnings.patch
Here is a modification that adds detailed warning messages :
# when the 'accept all' trust manager is loaded (spring bean initialization)
{noformat:title=Warning emitted at HTTP Conduit initialization}
2010/03/04 00:33:26,239 ERROR [http-8080-2]
org.apache.cxf.transport.https.HttpsURLConnectionFactory - X509 CERTIFICATE
VALIDATION
SHOULD NOT BE DEACTIVATED ON PRODUCTION WITH "<http-conf:tlsClientParameters
trustAllCertificates='true' />" !
SECURITY IS COMPRIMISED !
{noformat}
# each time an SSL connection is opened with an untrusted certificate.
{noformat:title=Warning emitted each time a connexion is opened with an
untrusted certificate}
2010/03/04 00:33:27,179 ERROR [http-8080-2]
org.apache.cxf.transport.https.AcceptAllCertificatesX509TrustManager -
DEACTIVATED
X509 CERTIFICATE VALIDATION ERROR ! SECURITY IS COMPROMISED ! CERTIFICATE
VALIDATION DEACTIVATION
SHOULD NOT BE USED IN PRODUCTION ! sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
2010/03/04 00:33:27,180 ERROR [http-8080-2]
org.apache.cxf.transport.https.AcceptAllCertificatesX509TrustManager -
Untrusted self-signed expired certificate:
'[email protected], CN=localhost, OU=Cyrille Le Clerc,
O=Cyrille Le Clerc, L=Paris, C=FR'
(valid from Sun Sep 13 14:47:07 CEST 2009 until Tue Oct 13 14:47:07 CEST 2009)
{noformat}
Note : warning messages give detailed information about the validity problem
(self-signed, expiration, not yet valid, etc)
Could such enhanced warning messages be an interesting trade off between
security and ease of use ?
> Allow deactivation of SSL X509 Certificates validation
> ------------------------------------------------------
>
> Key: CXF-2688
> URL: https://issues.apache.org/jira/browse/CXF-2688
> Project: CXF
> Issue Type: New Feature
> Components: Transports
> Affects Versions: 2.2.6
> Reporter: Cyrille Le Clerc
> Assignee: Cyrille Le Clerc
> Fix For: 2.2.7
>
> Attachments: CXF-2688-enhanced-warnings.patch, CXF-2688.diff
>
>
> CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable
> hostname verification ({{<http-conf:tlsClientParameters disableCNCheck="true"
> />}}) but does not allow to disable X509 certificates checking.
> Due to this, it can be painful to invoke services with self-signed
> certificates on non-production environments (see sample stacktrace below).
> Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS)
> clients :
> * Add boolean attribute {{trustAllCertificates}} to
> {{<http-conf:tlsClientParameters ... />}},
> * In the {{HTTPConduit}}, if {{trustAllCertificates="true"}}, the
> {{HttpsURLConnectionFactory}} will use an 'accept all certificates'
> {{javax.net.ssl.X509TrustManager}} and an 'accept all'
> {{javax.net.ssl.HostnameVerifier}}.
> *Note* : this proposal adds an attribute {{trustAllCertificates}} to the
> {{TLSClientParametersType}} complex type and thus *this proposal requires to
> publish a new 'backward compatible'
> [http://cxf.apache.org/schemas/configuration/security.xsd]*.
> Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS
> service:
> {code:xml}
> <jaxws:client id="helloWorldServiceClient"
> serviceClass="com.example.HelloWorldService"
> address="https://example.com/services/helloWorldService";>
> </jaxws:client>
> <http-conf:conduit
> name="{http://example.com/}HelloWorldServicePort.http-conduit";>
> <!-- trust all certificates (self signed certificates, etc) -->
> <http-conf:tlsClientParameters trustAllCertificates="true" />
>
> <http-conf:authorization>
> <security:UserName>my-user-name</security:UserName>
> <security:Password>my-password</security:Password>
> </http-conf:authorization>
> </http-conf:conduit>
> {code}
> CXF client exception's stacktrace with a self-signe certificate:
> {noformat}
> 2010/03/01 22:05:23,682 WARN [http-8080-1]
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
> {http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has
> thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Could not send Message.
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
> ...
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> at $Proxy69.sayHi(Unknown Source)
> ...
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> ...
> {noformat}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
