[
https://issues.apache.org/jira/browse/CXF-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12844144#action_12844144
]
Cyrille Le Clerc commented on CXF-2688:
---------------------------------------
As discussed on the dev mailing list message [\[CXF-2688\] "Allow deactivation
of SSL X509 Certificates validation"
reverted|http://old.nabble.com/-CXF-2688--%22Allow-deactivation-of-SSL-X509-Certificates-validation%22--reverted-td27776275.html],
an alternate solution has been implemented.
CXF 2.2.7 integrates CXF-2693 "Allow to use HttpsURLConnection's
defaultSSLSocketFactory and defaultHostnameVerifier in CXF client". Thanks to
this, users will be able to disable all ssl verifications at the JVM level with
an "Accept All Ssl Socket Factory" and an "Accept All Hostname Verifier" and
then configure CXF to rely on them. *Please note that disabling ssl
verifications is a severe security breach.*
An advantage of the JVM wide approach is to encourage users to disable ssl
verifications during the middleware startup phase rather than in the
application and thus to mitigate the risk to inadvertently disable ssl
verifications on productions.
For Tomcat users, I developed an [Accept All Ssl Certificates
Listener|http://code.google.com/p/xebia-france/wiki/AcceptAllSslCertificatesListener]
which disables SSL verifications during Tomcat startup and emits meaningful
warning messages for untrusted certificates to help debugging.
> Allow deactivation of SSL X509 Certificates validation
> ------------------------------------------------------
>
> Key: CXF-2688
> URL: https://issues.apache.org/jira/browse/CXF-2688
> Project: CXF
> Issue Type: New Feature
> Components: Transports
> Affects Versions: 2.2.6
> Reporter: Cyrille Le Clerc
> Assignee: Cyrille Le Clerc
> Fix For: 2.2.7
>
> Attachments: CXF-2688-enhanced-warnings.patch, CXF-2688.diff
>
>
> CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable
> hostname verification ({{<http-conf:tlsClientParameters disableCNCheck="true"
> />}}) but does not allow to disable X509 certificates checking.
> Due to this, it can be painful to invoke services with self-signed
> certificates on non-production environments (see sample stacktrace below).
> Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS)
> clients :
> * Add boolean attribute {{trustAllCertificates}} to
> {{<http-conf:tlsClientParameters ... />}},
> * In the {{HTTPConduit}}, if {{trustAllCertificates="true"}}, the
> {{HttpsURLConnectionFactory}} will use an 'accept all certificates'
> {{javax.net.ssl.X509TrustManager}} and an 'accept all'
> {{javax.net.ssl.HostnameVerifier}}.
> *Note* : this proposal adds an attribute {{trustAllCertificates}} to the
> {{TLSClientParametersType}} complex type and thus *this proposal requires to
> publish a new 'backward compatible'
> [http://cxf.apache.org/schemas/configuration/security.xsd]*.
> Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS
> service:
> {code:xml}
> <jaxws:client id="helloWorldServiceClient"
> serviceClass="com.example.HelloWorldService"
> address="https://example.com/services/helloWorldService";>
> </jaxws:client>
> <http-conf:conduit
> name="{http://example.com/}HelloWorldServicePort.http-conduit";>
> <!-- trust all certificates (self signed certificates, etc) -->
> <http-conf:tlsClientParameters trustAllCertificates="true" />
>
> <http-conf:authorization>
> <security:UserName>my-user-name</security:UserName>
> <security:Password>my-password</security:Password>
> </http-conf:authorization>
> </http-conf:conduit>
> {code}
> CXF client exception's stacktrace with a self-signe certificate:
> {noformat}
> 2010/03/01 22:05:23,682 WARN [http-8080-1]
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
> {http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has
> thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Could not send Message.
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
> ...
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> at $Proxy69.sayHi(Unknown Source)
> ...
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> ...
> {noformat}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
