Author: buildbot
Date: Mon Oct 23 17:57:38 2017
New Revision: 1019972
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/tls-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/tls-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/tls-configuration.html (original)
+++ websites/production/cxf/content/docs/tls-configuration.html Mon Oct 23
17:57:38 2017
@@ -33,7 +33,6 @@
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -118,11 +117,11 @@ Apache CXF -- TLS Configuration
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1508777353891 {padding: 0px;}
-div.rbtoc1508777353891 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1508777353891 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1508781419389 {padding: 0px;}
+div.rbtoc1508781419389 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1508781419389 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1508777353891">
+/*]]>*/</style></p><div class="toc-macro rbtoc1508781419389">
<ul class="toc-indentation"><li><a shape="rect"
href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS
Parameters common to both Clients and Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect"
href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a
shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites
Filter</a></li><li><a shape="rect"
href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul>
</li><li><a shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client
TLS Parameters</a>
@@ -131,7 +130,7 @@ div.rbtoc1508777353891 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect"
href="#TLSConfiguration-ClientAuthentication">Client
Authentication</a></li></ul>
</li></ul>
</div><h1 id="TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS
Parameters common to both Clients and Servers</h1><p>The TLS Parameters common
to both Clients and Servers are given <a shape="rect" class="external-link"
href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java";>here</a>:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>keyManagers</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Key
Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key
Managers to hold X509 certificates.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>tru
stManagers</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>JVM default Trust Managers</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>TrustManagers to validate peer X509
certificates.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>jsseProvider</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>JVM default provider associated with
protocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JSSE
provider name.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>cipherSuites</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>JVM default cipher suites</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>CipherSuites that will be
supported.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>cipherSuitesFilter</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1"
class="confluenceTd
"><p>filters of the supported CipherSuites that will be supported and used if
available.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>certConstraints</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Certificate Constraints
specification.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>secureRandomParameters</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Secure
Random</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SecureRandom
specification.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>secureSocketProtocol</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>"TLS"</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Protocol Name. Most common example are
"SSL", "TLS" or "TLSv1".</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><co
de>certAlias</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Cert alias to use. Useful when keystore has multiple
certs.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><code>enableRevocation</code> <strong>CXF
3.1.11</strong></td><td colspan="1" rowspan="1"
class="confluenceTd">"false"</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>This attribute specifies whether to enable revocation
when checking the client/server certificate.</p><p>To enable "ocsp" this should
be set to "true" (along with the Java Security property
"ocsp.enable").</p></td></tr></tbody></table></div><p> </p><p>Note that
from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side,
and on the service side (if Jetty is used), unless "SSLv3" is explicitly
specified for the "secureSocketProtocol" parameter.</p><h2
id="TLSConfiguration-KeyManagers">Key Managers</h2><p>The Key Managers c
onfiguration item is used to retrieve key information. It is required for a
Server, but is only required for a Client when the Server requires Client
Authentication.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Key
Manager sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:keyManagers keyPassword="stskpass">
<sec:keyStore type="jks" password="stsspass"
resource="stsstore.jks" />
@@ -140,7 +139,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-TrustManagers">Trust Managers</h2><p>The
Trust Managers configuration item is used to validate trust in peer X.509
certificates. It is required for both Servers and Clients.</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Trust Manager sample</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass"
resource="stsstore.jks" />
@@ -149,7 +148,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CipherSuitesFilter">CipherSuites
Filter</h2><p>The CipherSuites Filter is used to either include or exclude
particular CipherSuites. If no exclusion filter is specified, the default is to
exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES"
filters as well, and 3.0.4 onwards additionally excludes all "EXPORT"
filters.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
@@ -162,7 +161,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CertConstraints">Cert
Constraints</h2><p>Cert constraints can be used by either the client or server
to impose constraints on the peer certificates. This can be done by specifying
a set of regular expressions on either the Subject DN (Distinguished Name) or
the Issuer DN (or both) of the certificate. A "combinator" attribute can also
be specified for either the SubjectDNConstraints or IssuerDNConstraints
Elements. This attribute can be either "ANY" or "ALL", and refers to whether
any or all of the defined regular expressions should apply. The default value
is "ALL".</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:certConstraints>
<sec:SubjectDNConstraints>
@@ -177,13 +176,13 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h1 id="TLSConfiguration-ClientTLSParameters">Client TLS
Parameters</h1><p>In addition to the TLS Parameters common to both Clients and
Servers, there are some parameters that are <a shape="rect"
class="external-link"
href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java";>specific</a>
to Clients:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>disableCNCheck</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Indicates whether that the
hostname given in the HTTPS URL will be checked against the service's Common Nam
e (CN) given in its certificate during requests, and failing if there is a
mismatch. If set to <code>true</code> (<strong>not recommended for production
use</strong>), such checks will be bypassed. That will allow you, for example,
to use a URL such as <code>localhost</code> during
development.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>sslSocketFactory</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A SSLSocketFactory to use. All other bean properties
are ignored if this is set.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>sslCacheTimeout</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>86400 seconds (24 hours)</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>SSL Cache Timeout in
seconds.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>useHttpsURLConnectionDefaultSslSocketFactory</
code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>This attribute specifies if <a shape="rect"
class="external-link"
href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()"
rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a> should be
used to create https connections. If '<code>true</code>',
'<code>jsseProvider</code>', '<code>secureSocketProtocol</code>',
'<code>trustManagers</code>', '<code>keyManagers</code>',
'<code>secureRandom</code>', '<code>cipherSuites</code>' and
'<code>cipherSuitesFilter</code>' configuration parameters are
ignored.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>useHttpsURLConnectionDefaultHostnameVerifier</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This attribute s
pecifies if <a shape="rect" class="external-link"
href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()"
rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a> should be
used to create https connections. If '<code>true</code>',
'<code>disableCNCheck</code>' configuration parameter is
ignored.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">hostnameVerifier</td><td colspan="1" rowspan="1"
class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd">A custom HostnameVerifier instance to
use</td></tr></tbody></table></div><h2
id="TLSConfiguration-DisableCNCheck">Disable CN
Check</h2><p><code>disableCNCheck</code> is a parameterized boolean, you can
use a fixed variable <code>true</code>|<code>false</code> as well as a <a
shape="rect" class="external-link"
href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconf
igurer" rel="nofollow">Spring externalized property</a> variable (e.g.
<code>${disable-https-hostname-verification</code>}) or a <a shape="rect"
class="external-link"
href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef";
rel="nofollow">Spring expression</a> (e.g.
<code>#{systemProperties['dev-mode']</code>}).</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP
URL hostname verification (usage of localhost, etc)</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <!-- deactivate HTTPS url hostname verification
(localhost, etc) -->
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <!-- deactivate HTTPS url hostname verification
(localhost, etc) -->
<!-- WARNING ! disableCNcheck=true should NOT be used in production
-->
<http-conf:tlsClientParameters disableCNCheck="true" />
...
</pre>
</div></div><h1 id="TLSConfiguration-ServerTLSParameters">Server TLS
Parameters</h1><p>In addition to the TLS Parameters common to both Clients and
Servers, there are some parameters that are <a shape="rect"
class="external-link"
href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java";>specific</a>
to Servers:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>clientAuthentication</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Not "wanted" or
"required"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Allows
you to configure whether client authentication is "wanted" and/or
"required.</p></td><
/tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">excludeProtocols</td><td colspan="1" rowspan="1"
class="confluenceTd">SSLv3 is disabled by default for Jetty from CXF 3.0.3 +
2.7.14</td><td colspan="1" rowspan="1" class="confluenceTd">The TLS protocols
to exclude.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">includeProtocols <strong>CXF 3.1.1/3.0.6</strong></td><td
colspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1"
rowspan="1" class="confluenceTd">Allows you to add more protocols. For example,
if you have a TLS protocol you could add support for "SSLv2Hello" here, for
older clients.</td></tr></tbody></table></div><h2
id="TLSConfiguration-ClientAuthentication">Client Authentication</h2><p>This
allows you to define whether client authentication is wanted and/or
required.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Client
Authentication sample</b></di
v><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:clientAuthentication want="true" required="true" />
...
