I did a quick test using CXF's WebClient doing a "GET" on https://www.google.com. It works fine when you don't specify any TLSClientParameters as expected, as it picks up the default cacerts. However, when I added the following it fails (also as expected):
<http:conduit name="https://.*";> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers> <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> </sec:trustManagers> </http:tlsClientParameters> </http:conduit> Colm. On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: > > What I meant is that you do use a self signed cert to sign a previously > > generated certificate but do not import this self signed cert into the > > truststore which would emulate the same situation you have now without > > having to provide a test where well known providers sign a given server > > certificate. > > OK > I'll try it > > Thanks > > > > > Sergey > > > > > > > > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> > >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: > >>> > >>> Hi > >>> > >>> I guess this is what Colm is implying, that the actual problem that it > >>> does > >>> work. > >>> Can it be reproduced by a given server certificate with a self-signed > >>> certificate validating it ? > >> > >> > >> > >> Well, I don't have a testcase right now. I'll try to reproduce it . > >> > >> With a self signed certificate , the behaviour also is the same > >> But that makes sense ( for me ) , because your CA is yourself, so you > >> could trust on it ( if the certificate is imported into your keystore > >> ) > >> > >> Regards > >> > >> > >>> > >>> Cheers, Sergey > >>> > >>> > >>> > >>> > >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >>>> > >>>> > >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > >>>>> > >>>>> > >>>>> > >>>>> It does, but only if no truststore has been configured in CXF. Do you > >>>>> have a > >>>>> test-case that reproduces this problem? > >>>> > >>>> > >>>> > >>>> > >>>> Thanks, not really > >>>> Indeed, it's not a problem because my client works fine , but I cannot > >>>> understand why. I only imported the server certificate, no the others > >>>> in chain > >>>> > >>>> As I don't know how the underlying certificate validation is performed > >>>> , I don't know if this behaviour is caused by default settings in CXF > >>>> or another reason. > >>>> > >>>> Regards > >>>> > >>>> > >>>>> > >>>>> Colm. > >>>>> > >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >>>>> <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <[email protected] > >: > >>>>>>> > >>>>>>> > >>>>>>> You are using "keyManagers" instead of "trustManagers" in the > >>>>>>> configuration. "keyManagers" is used when you need to specify a key > >>>>>>> for > >>>>>>> client authentication. "trustManagers" is used to verify trust in > the > >>>>>>> server's cert. As you have no "trustManagers" configuration here, I > >>>>>>> guess > >>>>>>> it is falling back on the default JVM settings > >>>>>>> (javax.net.ssl.trustStore) > >>>>>> > >>>>>> > >>>>>> > >>>>>> Sorry, it was a typo. I'm using trustManagers > >>>>>> > >>>>>> <sec:trustManagers> > >>>>>> <sec:keyStore type="JKS" password="*******" > >>>>>> resource="truststore.jks"/> > >>>>>> </sec:trustManagers> > >>>>>> <sec:cipherSuitesFilter> > >>>>>> > >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > implementation ) > >>>>>> uses default JVM truststore for checking certificates ? > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>>>> > >>>>>>> Colm. > >>>>>>> > >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza > >>>>>>> <[email protected]> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hello: > >>>>>>>> > >>>>>>>> Maybe this question a bit off topic , but I try to understand why > my > >>>>>>>> client works. > >>>>>>>> > >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) > >>>>>>>> This is my settings: > >>>>>>>> > >>>>>>>> <http-conf:conduit name="https://.*";> > >>>>>>>> <http-conf:tlsClientParameters> > >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" > >>>>>>>> resource="truststore.jks"/> > >>>>>>>> </sec:keyManagers> > >>>>>>>> > >>>>>>>> I've imported SSL server certificate into truststore.jks > >>>>>>>> And it works fine. > >>>>>>>> > >>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) > , > >>>>>>>> and ( I think ) I don't have imported any certificate from godaddy > >>>>>>>> Why does my client trust in the server certificate ? > >>>>>>>> Is not performed some Certification Path Validation process ? > >>>>>>>> > >>>>>>>> Thanks and regards > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Colm O hEigeartaigh > >>>>>>> > >>>>>>> Talend Community Coder > >>>>>>> http://coders.talend.com > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Colm O hEigeartaigh > >>>>> > >>>>> Talend Community Coder > >>>>> http://coders.talend.com > >>> > >>> > >>> > >>> > >>> -- > >>> Sergey Beryozkin > >>> > >>> Talend Community Coders > >>> http://coders.talend.com/ > >>> > >>> Blog: http://sberyozkin.blogspot.com > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
