[
https://issues.apache.org/jira/browse/CXF-6294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14365023#comment-14365023
]
SL commented on CXF-6294:
-------------------------
{code:java}
HTTPConduit conduit = (HTTPConduit) client.getConduit();
(...)
TLSClientParameters tls = new TLSClientParameters();
// TRUSTSTORE loaded with configuration
tls.setTrustManagers(configuration.getTmf().getTrustManagers());
tls.setDisableCNCheck(configuration.getDisableTLSHostCheck());
// Keystore loaded with configuration
tls.setKeyManagers(configuration.getKmf().getKeyManagers());
tls.setSecureSocketProtocol(configuration.getTLSProtocols());
tls.setCipherSuites(configuration.getTLSCipherSuites());
(...)
conduit.setTlsClientParameters(tls);
{code}
{code:java}
// TLS parameters with defaults
private String TLSprotocols = "TLSv1.2";
private String TLSCipherSuites =
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"+","
+"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"+","
+"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_DHE_DSS_WITH_AES_256_CBC_SHA"+","
+"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"+","
+"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"+","
+"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
/*
private String TLSCipherSuites =
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
+"TLS_DHE_DSS_WITH_AES_256_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_RSA_WITH_AES_256_CBC_SHA";
*/
/*
private String TLSCipherSuites =
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA"+","
+"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"+","
+"TLS_DHE_DSS_WITH_AES_256_CBC_SHA"+","
+"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"+","
+"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_DHE_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"+","
+"TLS_RSA_WITH_AES_128_CBC_SHA"+","
+"TLS_RSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_RSA_WITH_AES_256_CBC_SHA"+","
+"TLS_RSA_WITH_AES_256_CBC_SHA256"+","
+"TLS_RSA_WITH_AES_256_CBC_SHA256"+","
+"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"+","
+"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"+","
+"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"+","
+"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"+","
+"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
*/
(...)
public List<String> getTLSCipherSuites() {
return Arrays.asList(this.TLSCipherSuites.split(","));
}
{code}
Not commented cipherSuites works (TLSv1.0 supported cipher suites)
> Cannot activate TLSv1.2 cipher suites on client on Java7
> --------------------------------------------------------
>
> Key: CXF-6294
> URL: https://issues.apache.org/jira/browse/CXF-6294
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.7.13, 2.7.14, 2.7.15
> Environment: JRE 1.7.0_76, CXF 2.7.13-2.7.15 (previous versions not
> checked)
> Reporter: SL
> Assignee: Colm O hEigeartaigh
>
> The Java7 JRE has a distinct behavior for client and server ssl sockets (see
> JSSE reference)
> On server socket TLSv1.1 and TLSv1.2 are enabled by default whereas on client
> socket both are disabled by default (but can be enabled with
> setEnabledProtocols()).
> This settings have been reverted for Java8.
> The problem with cxf lies in cxf-rt-transports-http.jar in
> org.apache.cxf.transport.http.SSLSocketFactoryWrapper.enableCipherSuites(...)
> :
> {code:java}
> private Socket enableCipherSuites(Socket s, Object[] logParams) {
> SSLSocket socket = (SSLSocket)s;
>
> if ((socket != null) && (ciphers != null)) {
> socket.setEnabledCipherSuites(ciphers);
> }
> if ((socket != null) && (protocol != null)) {
> String p[] = findProtocols(protocol,
> socket.getSupportedProtocols());
> if (p != null) {
> socket.setEnabledProtocols(p);
> }
> }
> if (socket == null) {
> LogUtils.log(LOG, Level.SEVERE,
> "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET",
> logParams);
> }
> return socket;
> }
> {code}
> This code does not permit to enable the TLSv1.2 only ciphers suites on the
> client.
> It produces
> {noformat}
> Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite
> at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[na:1.7.0_76]
> at sun.security.ssl.CipherSuiteList.<init>(Unknown Source)
> ~[na:1.7.0_76]
> at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown
> Source) ~[na:1.7.0_76]
> at
> org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
> {noformat}
> because when setEnabledCipherSuites() is called, TLSv1.2 is not (yet) enabled.
> IMHO setEnabledProtocols() should be called first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
