i'm not sure what needs to be done. So this is just a guess.
what do you set at the factoryAlgorithm property of your CXF's
TrustManager configuration? Is it set to PKIX?

<sec:trustManagers factoryAlgorithm="PKIX">

Could it be that you are setting the algorithm explicitly in your
non-cxf program but not in the cxf's configuration?

2014-09-08 15:12 GMT+02:00 Kessler, Joerg <[email protected]>:
> Hi,
> I am testing OCSP together with a CXF WS consumer. I am addressing my own 
> trust store in the http conduit. I created my own CA  and a certificate 
> (localhost) holding the location url of the validation service (on my 
> computer).  The scenario is CXF->https://localhost->CXF.  OCSP is supported 
> by the JDK since Java 5. So I expected no problems. But when sending messages 
> the validation url is not called to check the certificate and no error 
> occurs. I did a lot of experiments and found out that it works when I set the 
> trust store using the system property javax.net.ssl.trustStore instead of the 
> conduit. I tried to debug the problem and found  that 
> com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl provides two classes: 
> PKIXFactory and SimpleFactory. When PKIXFactory was instantiated then it 
> worked (verifier was called), using SimpleFactory it did not work. I could 
> even change the algorithm in the debugger from 'simple' to 'PKIX' and then it 
> worked. But I was unable figure out when and why 'PKIX' or 'simple'  is set. 
> I came to the class javax.net.ssl.TrustManagerFactory->getDefaultAlgorithm() 
> that seems to return the value somehow. But finally I got stuck. The problem 
> seems to be caused by the method how CXF provides the trust store for ssl 
> communication.
>
> I can provide two simple tests that demonstrate the problem and should run on 
> any local environment. One using the system property that fails due to the 
> missing validation service (verified by the ssl debug trace) and one using 
> the conduit that is always successful  because no validation is called. Both 
> use the same certificate/trust store.
>
> Best Regards,
>
> Jörg
>

Reply via email to