i'm not sure what needs to be done. So this is just a guess. what do you set at the factoryAlgorithm property of your CXF's TrustManager configuration? Is it set to PKIX?
<sec:trustManagers factoryAlgorithm="PKIX"> Could it be that you are setting the algorithm explicitly in your non-cxf program but not in the cxf's configuration? 2014-09-08 15:12 GMT+02:00 Kessler, Joerg <[email protected]>: > Hi, > I am testing OCSP together with a CXF WS consumer. I am addressing my own > trust store in the http conduit. I created my own CA and a certificate > (localhost) holding the location url of the validation service (on my > computer). The scenario is CXF->https://localhost->CXF. OCSP is supported > by the JDK since Java 5. So I expected no problems. But when sending messages > the validation url is not called to check the certificate and no error > occurs. I did a lot of experiments and found out that it works when I set the > trust store using the system property javax.net.ssl.trustStore instead of the > conduit. I tried to debug the problem and found that > com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl provides two classes: > PKIXFactory and SimpleFactory. When PKIXFactory was instantiated then it > worked (verifier was called), using SimpleFactory it did not work. I could > even change the algorithm in the debugger from 'simple' to 'PKIX' and then it > worked. But I was unable figure out when and why 'PKIX' or 'simple' is set. > I came to the class javax.net.ssl.TrustManagerFactory->getDefaultAlgorithm() > that seems to return the value somehow. But finally I got stuck. The problem > seems to be caused by the method how CXF provides the trust store for ssl > communication. > > I can provide two simple tests that demonstrate the problem and should run on > any local environment. One using the system property that fails due to the > missing validation service (verified by the ssl debug trace) and one using > the conduit that is always successful because no validation is called. Both > use the same certificate/trust store. > > Best Regards, > > Jörg >
