2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: > Hi > > I guess this is what Colm is implying, that the actual problem that it does > work. > Can it be reproduced by a given server certificate with a self-signed > certificate validating it ?
Well, I don't have a testcase right now. I'll try to reproduce it . With a self signed certificate , the behaviour also is the same But that makes sense ( for me ) , because your CA is yourself, so you could trust on it ( if the certificate is imported into your keystore ) Regards > > Cheers, Sergey > > > > > On 26/02/15 16:55, Jose María Zaragoza wrote: >> >> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >>> >>> >>> It does, but only if no truststore has been configured in CXF. Do you >>> have a >>> test-case that reproduces this problem? >> >> >> >> Thanks, not really >> Indeed, it's not a problem because my client works fine , but I cannot >> understand why. I only imported the server certificate, no the others >> in chain >> >> As I don't know how the underlying certificate validation is performed >> , I don't know if this behaviour is caused by default settings in CXF >> or another reason. >> >> Regards >> >> >>> >>> Colm. >>> >>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >>> <[email protected]> >>> wrote: >>>> >>>> >>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >>>>> >>>>> You are using "keyManagers" instead of "trustManagers" in the >>>>> configuration. "keyManagers" is used when you need to specify a key for >>>>> client authentication. "trustManagers" is used to verify trust in the >>>>> server's cert. As you have no "trustManagers" configuration here, I >>>>> guess >>>>> it is falling back on the default JVM settings >>>>> (javax.net.ssl.trustStore) >>>> >>>> >>>> Sorry, it was a typo. I'm using trustManagers >>>> >>>> <sec:trustManagers> >>>> <sec:keyStore type="JKS" password="*******" >>>> resource="truststore.jks"/> >>>> </sec:trustManagers> >>>> <sec:cipherSuitesFilter> >>>> >>>> Do you know if JSSE ( I guess it's the underlying TLS implementation ) >>>> uses default JVM truststore for checking certificates ? >>>> >>>> Thanks >>>> >>>>> >>>>> Colm. >>>>> >>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >>>>> <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello: >>>>>> >>>>>> Maybe this question a bit off topic , but I try to understand why my >>>>>> client works. >>>>>> >>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) >>>>>> This is my settings: >>>>>> >>>>>> <http-conf:conduit name="https://.*";> >>>>>> <http-conf:tlsClientParameters> >>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >>>>>> resource="truststore.jks"/> >>>>>> </sec:keyManagers> >>>>>> >>>>>> I've imported SSL server certificate into truststore.jks >>>>>> And it works fine. >>>>>> >>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) , >>>>>> and ( I think ) I don't have imported any certificate from godaddy >>>>>> Why does my client trust in the server certificate ? >>>>>> Is not performed some Certification Path Validation process ? >>>>>> >>>>>> Thanks and regards >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Colm O hEigeartaigh >>>>> >>>>> Talend Community Coder >>>>> http://coders.talend.com >>> >>> >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com > > > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > > Blog: http://sberyozkin.blogspot.com
