Coming back to the original topic. I believe SSL was never fully solved from what i read in the corresponding issue. Apparently, the fetching of the WSDL itself through https was not possible. Do you remember still some insights beyond what is written in the issue ?
> Am 16.01.2020 um 00:37 schrieb Karl Wright <daddy...@gmail.com>: > > > Let me think about that option. > > Karl > > >> On Wed, Jan 15, 2020 at 5:38 PM Jörn Franke <jornfra...@gmail.com> wrote: >> We could make it configurable, e.g. in properties.xml. Here people could set >> it to SSL, TLS, TLSv1.2 (to restrict it to TLS1.2 => some companies may want >> that!). Is this a viable option? That would be also future proof. We can >> leave it by default to SSL, but we should put in the example config files >> TLS by default (so new starters do not get even the idea to use an outdated >> protocol) AND put a comment with recommendation to use/enforce always newest >> protocols for security reasons. Of course, the choice is then with the >> people using the software. >> Could that be something sensible from your point of view? >> >>> On Wed, Jan 15, 2020 at 11:14 PM Karl Wright <daddy...@gmail.com> wrote: >>> It's rather immaterial what browsers do here. What's important is what >>> *existing servers* support, since that is what we're connecting with. >>> >>> I tend to agree that *most* people have probably upgraded to web servers >>> that support TLS. But we can't guarantee it, nor can we assume that people >>> have upgraded to the most modern version of TLS exclusively. In fact I >>> think we can assume they have *not*. When the SSL issues were discovered a >>> couple of years back, the standard recommendation was simply to *disable* >>> SSLv1 and SSLv2, not to upgrade to Java 11 or some such. We still support >>> (and have people using!!) early forms of NTLM (v1 to be specific), for >>> instance. We're not going to be able to wag the dog here. Breaking >>> changes of this kind usually mean we go to a whole new major version of MCF. >>> >>> However, if you can show that SSLContext.getSSLFactory("TLS") produces a >>> SSLSocketFactory that works with all versions of TLS and SSL that do not >>> have known security holes, I would support changing over to that. If it >>> turns out we need much more specificity about the kind of SSLSocketFactory >>> we produce, then we need a better solution anyhow for handling multiple >>> protocols in one socket factory. >>> >>> Karl >>> >>> >>>> On Wed, Jan 15, 2020 at 5:17 AM Jörn Franke <jornfra...@gmail.com> wrote: >>>> Hi Karl, >>>> >>>> No it does not. I can look into that further, but Current browsers stop >>>> supporting anything below TLSv1.2 in March 2020. >>>> Then TLS exists since more than ten years. I expect any server running >>>> nowadays will always have tls support. >>>> SSL itself is not supported since some time now. From a security >>>> perspective it should even break servers that run only SSL as they are >>>> inherently insecure and also clients that only support SSL are adding to >>>> this. >>>> However if you have an idea how this should be made configurable then I >>>> can look into this. >>>> >>>> Best regards >>>> >>>>>> Am 15.01.2020 um 10:52 schrieb Karl Wright <daddy...@gmail.com>: >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> Mcf currently requires jdk8. Jdk11 is non trivial to support because of >>>>> the removal of many jdk classes connectors need. It will be ported at >>>>> some point but not lightly. >>>>> >>>>> Similarly, disabling SSL would certainly break many installations upon >>>>> upgrade and we do not do that lightly. >>>>> >>>>> The core methods that mcf supplies its connectors should therefore be >>>>> updated to support but not mandate tls. The protocol specification one >>>>> gives to sslcontext is not a detailed one but rather a major version. >>>>> What I don't know is whether"tlsv1" also allows for older protocols etc. >>>>> >>>>> Karl >>>>> >>>>>> On Wed, Jan 15, 2020, 1:19 AM Jörn Franke <jornfra...@gmail.com> wrote: >>>>>> Yes I am doing that but I will need to rebuild. >>>>>> I don’t recommend TLSv1 - this is already outphased and will lock out >>>>>> TLSv1.2. I try TLS only as it includes all TLS protocols (depends on >>>>>> JDK). >>>>>> >>>>>> SSL will not be supported by this (however as I said there are other >>>>>> parts of the code where there is a getInstance(TLS). And some caveats: >>>>>> On JDK6+7 TLS only means TLSv1 (and newer TLS Protocols are deactivated) >>>>>> on JDK8 it means also that newer TLS protocols are enabled. >>>>>> To be honest in my opinion - a SSL only one is a significant security >>>>>> hole and given how old TLS support is JDK i would be surprised if there >>>>>> is someone using such a server (most Organisations should switch to >>>>>> TLSv1.2 in any case as all protocols below have been broken). >>>>>> While it works for all JDKs - probably JDK8 should be recommended as it >>>>>> seems to have all TLS protocols activated when using „TLS“. Older JDKs >>>>>> seem to deactivate TLSv1.1 and TLSv1.2 when using TLS. I will write more >>>>>> about this in the JIRA, once I verified that this solves the problem. >>>>>> Then TLSv1.3 is JDK11 only - I will investigate what that implies. >>>>>> Does ManifoldCf supports JDK11? >>>>>> >>>>>>>> Am 15.01.2020 um 00:08 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>> >>>>>>> >>>>>>> I think you can just change the code to read as follows when it creates >>>>>>> the SSLContext: >>>>>>> >>>>>>> SSLContext ctx = SSLContext.getInstance("TLSv1"); >>>>>>> >>>>>>> I don't know if TLS will downgrade to SSL if that's all that's >>>>>>> available. >>>>>>> >>>>>>> Karl >>>>>>> >>>>>>> >>>>>>>> On Tue, Jan 14, 2020 at 6:02 PM Jörn Franke <jornfra...@gmail.com> >>>>>>>> wrote: >>>>>>>> Yes it you do not change this setting as what I suspect happens here. >>>>>>>> See my previous mail for details. >>>>>>>> >>>>>>>>>> Am 14.01.2020 um 23:51 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>>>> >>>>>>>>> >>>>>>>>> It looks looks TLS is actually enabled in the SSLSocketFactory >>>>>>>>> framework based on how you create the SSLSocketContext. See: >>>>>>>>> >>>>>>>>> https://docs.oracle.com/cd/E19698-01/816-7609/security-83/index.html >>>>>>>>> >>>>>>>>> Karl >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Tue, Jan 14, 2020 at 5:48 PM Karl Wright <daddy...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> The design of ManifoldCF deliberately manages keystores on a >>>>>>>>>> connection by connection basis, not globally. If you think the only >>>>>>>>>> way to implement TLS is via global keystore I very much doubt it. >>>>>>>>>> >>>>>>>>>> I am on the road until late tomorrow but somewhere along the line I >>>>>>>>>> can do some research into why TLS won't work as we are currently >>>>>>>>>> doing it. >>>>>>>>>> >>>>>>>>>> Karl >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke <jornfra...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> These are TLS only. So maybe you have other servers where tls and >>>>>>>>>>> ssl are possible and it downgrades to ssl.however, this is >>>>>>>>>>> speculation and I need to verify it. I have to rebuilt manifold for >>>>>>>>>>> that. Probably I have to reinstall everything as the >>>>>>>>>>> keystorefactory is a dependency in the connector. >>>>>>>>>>> >>>>>>>>>>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If you can recommend changes to support TLS, that would be great. >>>>>>>>>>>> The basic infrastructure should still work; it is just a custom >>>>>>>>>>>> keystone and associated SSLSocketFactory, which I think also is >>>>>>>>>>>> used for TLS connections, unless I am missing something. >>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfra...@gmail.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> Yes this works fine. I believe the error comes from the fact that >>>>>>>>>>>>> TLS connections are not supported. >>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar >>>>>>>>>>>>>>> <michael.ciz...@mcplusa.com>: >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> If you want to test the url and the ssl, I would recommend >>>>>>>>>>>>>> attempting using SSLPoke to confirm that they keystore is setup >>>>>>>>>>>>>> properly: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://github.com/MichalHecko/SSLPoke >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Michael >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> From: Karl Wright <daddy...@gmail.com> >>>>>>>>>>>>>> Reply-To: "user@manifoldcf.apache.org" >>>>>>>>>>>>>> <user@manifoldcf.apache.org> >>>>>>>>>>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM >>>>>>>>>>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org> >>>>>>>>>>>>>> Subject: Re: CSWS Connector : ServiceConstructionException: >>>>>>>>>>>>>> Failed to create service >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hmm, others have succeeded setting up SSL connections with the >>>>>>>>>>>>>> current code. Hoping they chime in here. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Karl >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke <jornfra...@gmail.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> It seems that it has indeed a certificate issue as it cannot >>>>>>>>>>>>>> find a valid certification path to the target. The thing is: I >>>>>>>>>>>>>> added those certificates in the UI should it should not happen. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke >>>>>>>>>>>>>> <jornfra...@gmail.com>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2.15 ... >>>>>>>>>>>>>> >>>>>>>>>>>>>> I will try on the weekend to see if I can get some logs out of >>>>>>>>>>>>>> it. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Can I ask what version of MCF you are using? There were issues >>>>>>>>>>>>>> with SSL in the first release of the csws connector if I recall >>>>>>>>>>>>>> correctly, that were fixed for the second release. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Karl >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke >>>>>>>>>>>>>> <jornfra...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> I added root, intermediate and server certificate (in base64 >>>>>>>>>>>>>> cer, it seems to be recognized by manifoldcf), but I still get >>>>>>>>>>>>>> the same message. I will try to get somehow the full stacktrace >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> If you are using SSL you need to have the proper certificate >>>>>>>>>>>>>> saved in the connection's keystore. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Karl >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke >>>>>>>>>>>>>> <jornfra...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> It is actually a server using configuration of the command - >>>>>>>>>>>>>> driven multi-process model (but the agents executed as a service >>>>>>>>>>>>>> and the war on a tomcat executed as a service) under Linux. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I thought as well that it cannot reach the webservices, the >>>>>>>>>>>>>> question is why. On the same server I can reach the webservices >>>>>>>>>>>>>> and fetch the WSDL without issues. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Maybe sth related to ssl ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> How are you running manifoldcf? Single process example, or a >>>>>>>>>>>>>> custom setup of some kind? >>>>>>>>>>>>>> >>>>>>>>>>>>>> This exception is a "catch all" exception generated far below >>>>>>>>>>>>>> anything in ManifoldCF, but usually means it cannot download the >>>>>>>>>>>>>> WSDLs from the service. Getting the full exception dumped in >>>>>>>>>>>>>> the log requires a "hack" to the check() method of the >>>>>>>>>>>>>> connector, but I'm pretty sure that's what's happening anyway. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Karl >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke >>>>>>>>>>>>>> <jornfra...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I tried to use the CSWS connector, but already for the Authority >>>>>>>>>>>>>> connection I receive a >>>>>>>>>>>>>> org.apache.cxf.service.factory.ServiceConstructionException: >>>>>>>>>>>>>> Failed to create service. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Unfortunately I don’t see more details , also not in the log >>>>>>>>>>>>>> (debug is activated). I try to get a little bit more output by >>>>>>>>>>>>>> modifying the connector, but maybe someone has already an idea >>>>>>>>>>>>>> why this can happen? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Are there some special instructions to use it? The pointers to >>>>>>>>>>>>>> the webservices are correct, I tested via Curl and SOAPUI. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you. >>>>>>>>>>>>>> Best regards