Hi, Really hope someone can help me as it's driving me mad!!!
I'm trying to enable TLS for a web service call invoked using a CXF provider. I've setup an http-conduit on the client, but I get an error back: "The https URL hostname does not match the Common Name (CN) on the server certificate. To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true" For this test I've generated the certificates myself and have tried various cn's, but I still get the error. Finally, I tried setting disableCNCheck=true, but I still get the same error. Please can someone tell me how to check what hostname and cn is being compared? Also, if anyone knows why I can't get disableCNCheck to work, I'd be grateful too. I'm using version 2.2.6 of CXF. This is my SSL config: <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"; xsi:schemaLocation="http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <http:conduit name="{http://www.demo.com/DS/1.0}SendDS_pttBinding.http-conduit";> <http:tlsClientParameters secureSocketProtocol="TLS" disableCNCheck="true"> <sec:keyManagers keyPassword="abcdefg"> <sec:keyStore type="JKS" password="abcdefg" file="X:/Certs/MiGLocalKeyStore.jks"/> </sec:keyManagers> <sec:trustManagers> <sec:keyStore type="JKS" password="abcdefg" file="X:/Certs/MiGLocalKeyStore.jks"/> </sec:trustManagers> <sec:cipherSuitesFilter> <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks --> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> <!-- Note: Connecton parameter causes problem if moved to properties file --> <http:client AutoRedirect="true" Connection="Keep-Alive"/> </http:conduit> </beans> Thanks in advance, Steve. -- View this message in context: http://old.nabble.com/CXF-TLS---CN-Hostname-mismatch---disableCNCheck-tp28056617p28056617.html Sent from the ServiceMix - User mailing list archive at Nabble.com.
