> -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Monday, May 09, 2011 2:30 AM > To: [email protected] > Subject: Re: Can CXF's "http:conduit" be configured to deal with self- > signed certs or a custom verification? > > Hi > > One thing which is possible to do with CXF is to have multiple > HTTPConduit configurations provided, one > conduit can use SSL configuration relying on a self-signed cert, the > other one - configuration with a a proper certificate. > Each conduit bean can have a name attribute specifying a URI pattern > (reg ex), ex: > > <http:conduit > name="https://localhost:.*/production/customerservice/.*";> > ... > </http:conduit> > > <http:conduit name="https://localhost:.*/test/customerservice/.*";> > ... > </http:conduit> > > At runtime, the conduit matching request URIs used by the client code > will be activated. > > What I don't know is how to configure an individual HTTPConduit to > trust self-signed certificates. I've talked to Colm and explained that > all or most of CXF tests have server certs signed but we also do > generate the certs which are used to sign the server certs but keep > them in the trust store and then we have Conduit configuration > pointing to relevant key and trust stores, as in this file for ex: > > http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release > /samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml > > It appears it is currently not possible to explicitly configure > HTTPConduit with a custom SSLSocketFactory, but at least it is > possible to tell it to use the default SSLSocketFactory which might've > been setup using > > HttpsURLConnection.setDefaultSSLSocketFactory(SSLSocketFactory) > > I've found this info here: > > http://www.frightanic.com/tag/ssl/ > > If anyone has more info then share it with us please
So it appears that at the present time I would have no way to do this, if I needed it. Correct? Just to clarify, again, I don't presently need this, but I just finished work on a REST client project where we were using HttpClient, but I had to configure the socket factory this way. I'm trying to move my development group towards more use of Spring and CXF. Internally, we have many servers with differing requirements. I think it's likely we'll run into this situation again sometime in the future. > On Mon, May 9, 2011 at 2:52 AM, Willem Jiang <[email protected]> > wrote: > > Hi, > > > > Current CXF is using the sun's http connection instead of httpclint > to start > > the http connection. I'm afraid you can't resolve the issue just by > doing > > some configuration on http conduit. > > > > Willem > > On 5/7/11 7:06 AM, KARR, DAVID (ATTSI) wrote: > >> > >> I'm still looking for a response for this. Although I'm not > currently > >> using CXF as my Soap/REST client, I'd like to know how I would > configure it > >> for this situation. > >> > >> My situation is that I don't want to turn off hostname verification, > but I > >> need to alter the process. With my current code that uses > HttpClient, I was > >> able to implement something based on "jsslutils" > >> (http://code.google.com/p/jsslutils/) that takes an alternate list > of > >> context names to compare against if the default list doesn't match > (which I > >> know I won't). > >> > >> I've looked through the information I can find about "http:conduit" > and > >> its sub-elements, and I don't see an obvious way to do this. > >> > >>> -----Original Message----- > >>> From: KARR, DAVID (ATTSI) > >>> Sent: Monday, May 02, 2011 11:44 AM > >>> To: [email protected] > >>> Subject: Can CXF's "http:conduit" be configured to deal with self- > >>> signed certs or a custom verification? > >>> > >>> I don't specifically need this from CXF, but I've recently had to > deal > >>> with these issues using raw HttpClient, and I wondered what I'd > have to > >>> do to configure CXF to deal with these issues. > >>> > >>> Specifically, I have a project that can connect through SSL to > either a > >>> test server or a production server. On the test server, it uses a > >>> self-signed certificate. I had to configure my HttpClient-using > code > >>> to use the "EasySSLProtocolSocketFactory", a common solution for > this. > >>> > >>> On the production server, we ended up having to connect to the > server > >>> "under" the main server, because of network architecture issues, > but > >>> that meant that the SSL cert we were getting had a context name > that > >>> didn't match the server we were getting it from. We didn't want to > >>> turn off hostname verification, so I implemented a different socket > >>> factory for that scenario that can be provided with an "alternate > >>> context name" (we provide the name of the original host we were > >>> connecting to). > >>> > >>> This all works with HttpClient. If I had to, how would I implement > >>> these features with http:conduit? > >> > > > > > > -- > > Willem > > ---------------------------------- > > FuseSource > > Web: http://www.fusesource.com > > Blog: http://willemjiang.blogspot.com (English) > > http://jnn.javaeye.com (Chinese) > > Twitter: willemjiang > > > > Connect at CamelOne May 24-26 > > The Open Source Integration Conference > > http://camelone.com > >
