On Tuesday 17 August 2010 9:59:54 am Glen Mazza wrote: > Hello, I'd like to confirm something: > > The CXF documentation shows where cipher suite filters can be defined on > the client-side: > http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html > > However, for service-side, you apparently need to configure the underlying > servlet container and not the web service itself, for example here with > Jetty: > https://cwiki.apache.org/confluence/display/CXF20DOC/Standalone+HTTP+Transp > ort http://fusesource.com/docs/framework/2.2/security/i343422.html > > And Tomcat has a "ciphers" element that will apparently do the same thing: > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html. > > So there is no web-service level configuration of cipher suite filters, but > just that of the servlet container (or Endpoint implementation) hosting the > web service, correct?
That's correct. For the most part, the ciphers and such are part of the socket level negotiation of SSL/TLS. Thus, it occurs long before CXF really has any say in anything. That's why it needs to be configured on the container or jetty directly. -- Daniel Kulp [email protected] http://dankulp.com/blog
