2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > I did a quick test using CXF's WebClient doing a "GET" on > https://www.google.com. It works fine when you don't specify any > TLSClientParameters as expected, as it picks up the default cacerts. > However, when I added the following it fails (also as expected): > > <http:conduit name="https://.*";> > <http:tlsClientParameters disableCNCheck="true"> > <sec:trustManagers> > <sec:keyStore type="jks" password="cspass" > resource="clientstore.jks"/> > </sec:trustManagers> > </http:tlsClientParameters> > </http:conduit> > > Colm.
OK. That's right. But , if you import Google certificate into clientstore.jks but you don't import its CA certificate ( GeoTrust CA , in this case ), should it fail ? This is my question I don't know what is the validation path that JSSE follows Regards > > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <[email protected]> > wrote: > >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: >> > What I meant is that you do use a self signed cert to sign a previously >> > generated certificate but do not import this self signed cert into the >> > truststore which would emulate the same situation you have now without >> > having to provide a test where well known providers sign a given server >> > certificate. >> >> OK >> I'll try it >> >> Thanks >> >> > >> > Sergey >> > >> > >> > >> > On 26/02/15 18:51, Jose María Zaragoza wrote: >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: >> >>> >> >>> Hi >> >>> >> >>> I guess this is what Colm is implying, that the actual problem that it >> >>> does >> >>> work. >> >>> Can it be reproduced by a given server certificate with a self-signed >> >>> certificate validating it ? >> >> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to reproduce it . >> >> >> >> With a self signed certificate , the behaviour also is the same >> >> But that makes sense ( for me ) , because your CA is yourself, so you >> >> could trust on it ( if the certificate is imported into your keystore >> >> ) >> >> >> >> Regards >> >> >> >> >> >>> >> >>> Cheers, Sergey >> >>> >> >>> >> >>> >> >>> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: >> >>>> >> >>>> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <[email protected]>: >> >>>>> >> >>>>> >> >>>>> >> >>>>> It does, but only if no truststore has been configured in CXF. Do you >> >>>>> have a >> >>>>> test-case that reproduces this problem? >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> Thanks, not really >> >>>> Indeed, it's not a problem because my client works fine , but I cannot >> >>>> understand why. I only imported the server certificate, no the others >> >>>> in chain >> >>>> >> >>>> As I don't know how the underlying certificate validation is performed >> >>>> , I don't know if this behaviour is caused by default settings in CXF >> >>>> or another reason. >> >>>> >> >>>> Regards >> >>>> >> >>>> >> >>>>> >> >>>>> Colm. >> >>>>> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza >> >>>>> <[email protected]> >> >>>>> wrote: >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <[email protected] >> >: >> >>>>>>> >> >>>>>>> >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the >> >>>>>>> configuration. "keyManagers" is used when you need to specify a key >> >>>>>>> for >> >>>>>>> client authentication. "trustManagers" is used to verify trust in >> the >> >>>>>>> server's cert. As you have no "trustManagers" configuration here, I >> >>>>>>> guess >> >>>>>>> it is falling back on the default JVM settings >> >>>>>>> (javax.net.ssl.trustStore) >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> Sorry, it was a typo. I'm using trustManagers >> >>>>>> >> >>>>>> <sec:trustManagers> >> >>>>>> <sec:keyStore type="JKS" password="*******" >> >>>>>> resource="truststore.jks"/> >> >>>>>> </sec:trustManagers> >> >>>>>> <sec:cipherSuitesFilter> >> >>>>>> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS >> implementation ) >> >>>>>> uses default JVM truststore for checking certificates ? >> >>>>>> >> >>>>>> Thanks >> >>>>>> >> >>>>>>> >> >>>>>>> Colm. >> >>>>>>> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza >> >>>>>>> <[email protected]> >> >>>>>>> wrote: >> >>>>>>> >> >>>>>>>> Hello: >> >>>>>>>> >> >>>>>>>> Maybe this question a bit off topic , but I try to understand why >> my >> >>>>>>>> client works. >> >>>>>>>> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) >> >>>>>>>> This is my settings: >> >>>>>>>> >> >>>>>>>> <http-conf:conduit name="https://.*";> >> >>>>>>>> <http-conf:tlsClientParameters> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" >> >>>>>>>> resource="truststore.jks"/> >> >>>>>>>> </sec:keyManagers> >> >>>>>>>> >> >>>>>>>> I've imported SSL server certificate into truststore.jks >> >>>>>>>> And it works fine. >> >>>>>>>> >> >>>>>>>> But this certificate is signed by a CA chain ( from .godaddy.com) >> , >> >>>>>>>> and ( I think ) I don't have imported any certificate from godaddy >> >>>>>>>> Why does my client trust in the server certificate ? >> >>>>>>>> Is not performed some Certification Path Validation process ? >> >>>>>>>> >> >>>>>>>> Thanks and regards >> >>>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> -- >> >>>>>>> Colm O hEigeartaigh >> >>>>>>> >> >>>>>>> Talend Community Coder >> >>>>>>> http://coders.talend.com >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> Colm O hEigeartaigh >> >>>>> >> >>>>> Talend Community Coder >> >>>>> http://coders.talend.com >> >>> >> >>> >> >>> >> >>> >> >>> -- >> >>> Sergey Beryozkin >> >>> >> >>> Talend Community Coders >> >>> http://coders.talend.com/ >> >>> >> >>> Blog: http://sberyozkin.blogspot.com >> > >> > >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
