Re: HTTPS Client-Configuration

Tue, 28 Apr 2009 06:42:58 -0700 

On Monday 27 April 2009, Benjamin Ernst wrote:
>  Hi,
> 
> I am having problems with the Client-Configuration for HTTPS. My
> configuration looks like this:
> 
> <http:conduit name="*.http-conduit">
>     <http:tlsClientParameters disableCNCheck="true">
>       <sec:trustManagers>
>           <sec:keyStore type="JKS" password="password"
>                file="conf/truststore.jks"/>
>       </sec:trustManagers>
>       <sec:keyManagers keyPassword="password">
>            <sec:keyStore type="JKS" password="password"
>                 file="conf/localhost.jks"/>
>       </sec:keyManagers>
>       <sec:cipherSuitesFilter>
>         <!-- these filters ensure that a ciphersuite with
>           export-suitable or null encryption is used,
>           but exclude anonymous Diffie-Hellman key change as
>           this is vulnerable to man-in-the-middle attacks -->
>         <sec:include>.*_EXPORT_.*</sec:include>
>         <sec:include>.*_EXPORT1024_.*</sec:include>
>         <sec:include>.*_WITH_DES_.*</sec:include>
>         <sec:include>.*_WITH_NULL_.*</sec:include>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
>       </sec:cipherSuitesFilter>
>     </http:tlsClientParameters>
>    </http:conduit>

You have to make sure you are using spring - otherwise the configuration is not 
picked up.

Alternatively you can configure your client through code like the fragment 
below (~more or less)

There is also a nice example in cxf tests or examples (can't remember). Just 
search for SSL or TLS. It is more or less along these lines...

        if (protocol.equalsIgnoreCase("https")) {
            log.debug("Customizing https://";);
            HTTPConduit http = (HTTPConduit) client.getConduit();
            TLSClientParameters params = new TLSClientParameters();
            params.setSecureSocketProtocol("SSLv3");
            try {
                params.setTrustManagers(getTrustManagers());
            } catch(Exception e) {
                log.error(e, e);
            }

            FiltersType filters = new FiltersType();
            filters.getInclude().add(".*");
            filters.getExclude().add(".*_DH_anon_.*"); 
            params.setCipherSuitesFilter(filters);

            http.setTlsClientParameters(params);
        }


   protected static TrustManager[] getTrustManagers() throws IOException,
            GeneralSecurityException {
        // First, get the default TrustManagerFactory.
        String alg = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmFact = TrustManagerFactory.getInstance(alg);

        // Next, set up the TrustStore to use. We need to load the file into
        // a KeyStore instance.
        InputStream fis = Resource.getInputStream("keystore.jks");
        KeyStore ks = KeyStore.getInstance("jks");
        ks.load(fis, null);
        fis.close();

        // Now we initialize the TrustManagerFactory with this KeyStore
        tmFact.init(ks);

        // And now get the TrustManagers
        TrustManager[] tms = tmFact.getTrustManagers();
        return tms;
    }

Reply via email to