What I meant is that you do use a self signed cert to sign a previously
generated certificate but do not import this self signed cert into the
truststore which would emulate the same situation you have now without
having to provide a test where well known providers sign a given server
certificate.
Sergey
On 26/02/15 18:51, Jose María Zaragoza wrote:
2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>:
Hi
I guess this is what Colm is implying, that the actual problem that it does
work.
Can it be reproduced by a given server certificate with a self-signed
certificate validating it ?
Well, I don't have a testcase right now. I'll try to reproduce it .
With a self signed certificate , the behaviour also is the same
But that makes sense ( for me ) , because your CA is yourself, so you
could trust on it ( if the certificate is imported into your keystore
)
Regards
Cheers, Sergey
On 26/02/15 16:55, Jose María Zaragoza wrote:
2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <[email protected]>:
It does, but only if no truststore has been configured in CXF. Do you
have a
test-case that reproduces this problem?
Thanks, not really
Indeed, it's not a problem because my client works fine , but I cannot
understand why. I only imported the server certificate, no the others
in chain
As I don't know how the underlying certificate validation is performed
, I don't know if this behaviour is caused by default settings in CXF
or another reason.
Regards
Colm.
On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
<[email protected]>
wrote:
2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <[email protected]>:
You are using "keyManagers" instead of "trustManagers" in the
configuration. "keyManagers" is used when you need to specify a key for
client authentication. "trustManagers" is used to verify trust in the
server's cert. As you have no "trustManagers" configuration here, I
guess
it is falling back on the default JVM settings
(javax.net.ssl.trustStore)
Sorry, it was a typo. I'm using trustManagers
<sec:trustManagers>
<sec:keyStore type="JKS" password="*******"
resource="truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
Do you know if JSSE ( I guess it's the underlying TLS implementation )
uses default JVM truststore for checking certificates ?
Thanks
Colm.
On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
<[email protected]>
wrote:
Hello:
Maybe this question a bit off topic , but I try to understand why my
client works.
I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS)
This is my settings:
<http-conf:conduit name="https://.*";>
<http-conf:tlsClientParameters>
<sec:keyManagers keyPassword="xxxxxxxx">
<sec:keyStore type="JKS" password="xxxxxxxx"
resource="truststore.jks"/>
</sec:keyManagers>
I've imported SSL server certificate into truststore.jks
And it works fine.
But this certificate is signed by a CA chain ( from .godaddy.com) ,
and ( I think ) I don't have imported any certificate from godaddy
Why does my client trust in the server certificate ?
Is not performed some Certification Path Validation process ?
Thanks and regards
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
