Re: CRL support
Thanks a lot I will check it out On Thursday 29 of November 2007 15:24:57 Fred Dushin wrote: See the http-conf:trustDecider in https://svn.apache.org/repos/asf/incubator/cxf/trunk/rt/transports/ http/src/main/resources/schemas/configuration/http-conf.xsd You'll need to implement your own org.apache.cxf.transport.http.MessageTrustDecider, but this will get called when a connection is established. Unfortunately, because of the design of the Sun JSSE, this is not a hook into the handshake, but your trust decider should be called before any application data is sent down the pipe. That's the idea, at any rate. -Fred On Nov 28, 2007, at 4:26 PM, Bc. Jiří Mikulášek wrote: thanks, because I really need CRL support is there any way how to handle it on my own - maybe use some interceptor, which will handle it before each connection? If there is such possibility, please can somebody give me few basic hints, where to start what to care and so...? Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a): CXF does not have support for CRLs. On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote: Hi all, can somebody give me a hint how to configure or program CRL (certificate revocation list) checking before each SSL handshake. In detail: I have this configuration on client: http-conf:conduit name={http:///}portName.http-conduit; http-conf:client AllowChunking=false / http-conf:tlsClientParameters secureSocketProtocol=SSL sec:trustManagers sec:keyStore type=JKS password=password url=someurl/ /sec:trustManagers sec:keyManagers keyPassword=password sec:keyStore type=JKS password=password url=someurl/ /sec:keyManagers /http-conf:tlsClientParameters which causes ssl communication, but before each connection I would like to check all certificates i keystores for revocation according some CRL on filesystem thanks for any advice -- Jiri Mikulasek - Developer AURA, s.r.o. Uvoz 499/56; 602 00 Brno ISO 9001 certified company AQAP 2110 (ČOS 051622) tel./fax: +420 544 508 115 e-mail: [EMAIL PROTECTED] http://www.aura.cz - -- Jiri Mikulasek - Developer AURA, s.r.o. Uvoz 499/56; 602 00 Brno ISO 9001 certified company AQAP 2110 (ČOS 051622) tel./fax: +420 544 508 115 e-mail: [EMAIL PROTECTED] http://www.aura.cz -
Re: CRL support
See the http-conf:trustDecider in https://svn.apache.org/repos/asf/incubator/cxf/trunk/rt/transports/ http/src/main/resources/schemas/configuration/http-conf.xsd You'll need to implement your own org.apache.cxf.transport.http.MessageTrustDecider, but this will get called when a connection is established. Unfortunately, because of the design of the Sun JSSE, this is not a hook into the handshake, but your trust decider should be called before any application data is sent down the pipe. That's the idea, at any rate. -Fred On Nov 28, 2007, at 4:26 PM, Bc. Jiří Mikulášek wrote: thanks, because I really need CRL support is there any way how to handle it on my own - maybe use some interceptor, which will handle it before each connection? If there is such possibility, please can somebody give me few basic hints, where to start what to care and so...? Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a): CXF does not have support for CRLs. On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote: Hi all, can somebody give me a hint how to configure or program CRL (certificate revocation list) checking before each SSL handshake. In detail: I have this configuration on client: http-conf:conduit name={http:///}portName.http-conduit; http-conf:client AllowChunking=false / http-conf:tlsClientParameters secureSocketProtocol=SSL sec:trustManagers sec:keyStore type=JKS password=password url=someurl/ /sec:trustManagers sec:keyManagers keyPassword=password sec:keyStore type=JKS password=password url=someurl/ /sec:keyManagers /http-conf:tlsClientParameters which causes ssl communication, but before each connection I would like to check all certificates i keystores for revocation according some CRL on filesystem thanks for any advice -- Jiri Mikulasek - Developer AURA, s.r.o. Uvoz 499/56; 602 00 Brno ISO 9001 certified company AQAP 2110 (ČOS 051622) tel./fax: +420 544 508 115 e-mail: [EMAIL PROTECTED] http://www.aura.cz -
Re: CRL support
CXF does not have support for CRLs. On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote: Hi all, can somebody give me a hint how to configure or program CRL (certificate revocation list) checking before each SSL handshake. In detail: I have this configuration on client: http-conf:conduit name={http:///}portName.http-conduit; http-conf:client AllowChunking=false / http-conf:tlsClientParameters secureSocketProtocol=SSL sec:trustManagers sec:keyStore type=JKS password=password url=someurl/ /sec:trustManagers sec:keyManagers keyPassword=password sec:keyStore type=JKS password=password url=someurl/ /sec:keyManagers /http-conf:tlsClientParameters which causes ssl communication, but before each connection I would like to check all certificates i keystores for revocation according some CRL on filesystem thanks for any advice -- Jiri Mikulasek - Developer AURA, s.r.o. Uvoz 499/56; 602 00 Brno ISO 9001 certified company AQAP 2110 (ČOS 051622) tel./fax: +420 544 508 115 e-mail: [EMAIL PROTECTED] http://www.aura.cz -