Hi One thing which is possible to do with CXF is to have multiple HTTPConduit configurations provided, one conduit can use SSL configuration relying on a self-signed cert, the other one - configuration with a a proper certificate. Each conduit bean can have a name attribute specifying a URI pattern (reg ex), ex:
<http:conduit name="https://localhost:.*/production/customerservice/.*";> ... </http:conduit> <http:conduit name="https://localhost:.*/test/customerservice/.*";> ... </http:conduit> At runtime, the conduit matching request URIs used by the client code will be activated. What I don't know is how to configure an individual HTTPConduit to trust self-signed certificates. I've talked to Colm and explained that all or most of CXF tests have server certs signed but we also do generate the certs which are used to sign the server certs but keep them in the trust store and then we have Conduit configuration pointing to relevant key and trust stores, as in this file for ex: http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml It appears it is currently not possible to explicitly configure HTTPConduit with a custom SSLSocketFactory, but at least it is possible to tell it to use the default SSLSocketFactory which might've been setup using HttpsURLConnection.setDefaultSSLSocketFactory(SSLSocketFactory) I've found this info here: http://www.frightanic.com/tag/ssl/ If anyone has more info then share it with us please Cheers, Sergey On Mon, May 9, 2011 at 2:52 AM, Willem Jiang <[email protected]> wrote: > Hi, > > Current CXF is using the sun's http connection instead of httpclint to start > the http connection. I'm afraid you can't resolve the issue just by doing > some configuration on http conduit. > > Willem > On 5/7/11 7:06 AM, KARR, DAVID (ATTSI) wrote: >> >> I'm still looking for a response for this. Although I'm not currently >> using CXF as my Soap/REST client, I'd like to know how I would configure it >> for this situation. >> >> My situation is that I don't want to turn off hostname verification, but I >> need to alter the process. With my current code that uses HttpClient, I was >> able to implement something based on "jsslutils" >> (http://code.google.com/p/jsslutils/) that takes an alternate list of >> context names to compare against if the default list doesn't match (which I >> know I won't). >> >> I've looked through the information I can find about "http:conduit" and >> its sub-elements, and I don't see an obvious way to do this. >> >>> -----Original Message----- >>> From: KARR, DAVID (ATTSI) >>> Sent: Monday, May 02, 2011 11:44 AM >>> To: [email protected] >>> Subject: Can CXF's "http:conduit" be configured to deal with self- >>> signed certs or a custom verification? >>> >>> I don't specifically need this from CXF, but I've recently had to deal >>> with these issues using raw HttpClient, and I wondered what I'd have to >>> do to configure CXF to deal with these issues. >>> >>> Specifically, I have a project that can connect through SSL to either a >>> test server or a production server. On the test server, it uses a >>> self-signed certificate. I had to configure my HttpClient-using code >>> to use the "EasySSLProtocolSocketFactory", a common solution for this. >>> >>> On the production server, we ended up having to connect to the server >>> "under" the main server, because of network architecture issues, but >>> that meant that the SSL cert we were getting had a context name that >>> didn't match the server we were getting it from. We didn't want to >>> turn off hostname verification, so I implemented a different socket >>> factory for that scenario that can be provided with an "alternate >>> context name" (we provide the name of the original host we were >>> connecting to). >>> >>> This all works with HttpClient. If I had to, how would I implement >>> these features with http:conduit? >> > > > -- > Willem > ---------------------------------- > FuseSource > Web: http://www.fusesource.com > Blog: http://willemjiang.blogspot.com (English) > http://jnn.javaeye.com (Chinese) > Twitter: willemjiang > > Connect at CamelOne May 24-26 > The Open Source Integration Conference > http://camelone.com >
