2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: > What I meant is that you do use a self signed cert to sign a previously > generated certificate but do not import this self signed cert into the > truststore which would emulate the same situation you have now without > having to provide a test where well known providers sign a given server > certificate.
OK I'll try it Thanks > > Sergey > > > > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: >>> >>> Hi >>> >>> I guess this is what Colm is implying, that the actual problem that it >>> does >>> work. >>> Can it be reproduced by a given server certificate with a self-signed >>> certificate validating it ? >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it . >> >> With a self signed certificate , the behaviour also is the same >> But that makes sense ( for me ) , because your CA is yourself, so you >> could trust on it ( if the certificate is imported into your keystore >> ) >> >> Regards >> >> >>> >>> Cheers, Sergey >>> >>> >>> >>> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >>>> >>>> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >>>>> >>>>> >>>>> >>>>> It does, but only if no truststore has been configured in CXF. Do you >>>>> have a >>>>> test-case that reproduces this problem? >>>> >>>> >>>> >>>> >>>> Thanks, not really >>>> Indeed, it's not a problem because my client works fine , but I cannot >>>> understand why. I only imported the server certificate, no the others >>>> in chain >>>> >>>> As I don't know how the underlying certificate validation is performed >>>> , I don't know if this behaviour is caused by default settings in CXF >>>> or another reason. >>>> >>>> Regards >>>> >>>> >>>>> >>>>> Colm. >>>>> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >>>>> <[email protected]> >>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >>>>>>> >>>>>>> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the >>>>>>> configuration. "keyManagers" is used when you need to specify a key >>>>>>> for >>>>>>> client authentication. "trustManagers" is used to verify trust in the >>>>>>> server's cert. As you have no "trustManagers" configuration here, I >>>>>>> guess >>>>>>> it is falling back on the default JVM settings >>>>>>> (javax.net.ssl.trustStore) >>>>>> >>>>>> >>>>>> >>>>>> Sorry, it was a typo. I'm using trustManagers >>>>>> >>>>>> <sec:trustManagers> >>>>>> <sec:keyStore type="JKS" password="*******" >>>>>> resource="truststore.jks"/> >>>>>> </sec:trustManagers> >>>>>> <sec:cipherSuitesFilter> >>>>>> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS implementation ) >>>>>> uses default JVM truststore for checking certificates ? >>>>>> >>>>>> Thanks >>>>>> >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >>>>>>> <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello: >>>>>>>> >>>>>>>> Maybe this question a bit off topic , but I try to understand why my >>>>>>>> client works. >>>>>>>> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) >>>>>>>> This is my settings: >>>>>>>> >>>>>>>> <http-conf:conduit name="https://.*";> >>>>>>>> <http-conf:tlsClientParameters> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >>>>>>>> resource="truststore.jks"/> >>>>>>>> </sec:keyManagers> >>>>>>>> >>>>>>>> I've imported SSL server certificate into truststore.jks >>>>>>>> And it works fine. >>>>>>>> >>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) , >>>>>>>> and ( I think ) I don't have imported any certificate from godaddy >>>>>>>> Why does my client trust in the server certificate ? >>>>>>>> Is not performed some Certification Path Validation process ? >>>>>>>> >>>>>>>> Thanks and regards >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Colm O hEigeartaigh >>>>>>> >>>>>>> Talend Community Coder >>>>>>> http://coders.talend.com >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Colm O hEigeartaigh >>>>> >>>>> Talend Community Coder >>>>> http://coders.talend.com >>> >>> >>> >>> >>> -- >>> Sergey Beryozkin >>> >>> Talend Community Coders >>> http://coders.talend.com/ >>> >>> Blog: http://sberyozkin.blogspot.com > >
