Hi,
Not exactly sure why disableCNCheck doesn't work for you, seems the
configuration is correct.
I guess what you change didn't get picked up? How you test your SA?
And disableCNCheck usually used during development period which means
you can use URL such as localhost during development, and that's not
match the CN on server.
You may need take a look at how to configure cxf client https[1], and
we also have CxfBcProviderHttpsTest[2] which I believe exactly same as
your scenario, this test aslo use disableCNCheck, please check this
example, it may help you.
[1]http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
[2]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderHttpsTest.java
Freeman
On 2010-3-28, at 上午9:08, slew77 wrote:
Hi,
Really hope someone can help me as it's driving me mad!!!
I'm trying to enable TLS for a web service call invoked using a CXF
provider.
I've setup an http-conduit on the client, but I get an error back:
"The https URL hostname does not match the Common Name (CN) on the
server
certificate. To disable this check (NOT recommended for production)
set the
CXF client TLS configuration property "disableCNCheck" to true"
For this test I've generated the certificates myself and have tried
various
cn's, but I still get the error.
Finally, I tried setting disableCNCheck=true, but I still get the same
error.
Please can someone tell me how to check what hostname and cn is being
compared? Also, if anyone knows why I can't get disableCNCheck to
work, I'd
be grateful too.
I'm using version 2.2.6 of CXF.
This is my SSL config:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws";
xsi:schemaLocation="http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<http:conduit
name="{http://www.demo.com/DS/1.0}SendDS_pttBinding.http-conduit";>
<http:tlsClientParameters secureSocketProtocol="TLS"
disableCNCheck="true">
<sec:keyManagers keyPassword="abcdefg">
<sec:keyStore type="JKS" password="abcdefg"
file="X:/Certs/MiGLocalKeyStore.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="abcdefg"
file="X:/Certs/MiGLocalKeyStore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite
with
export-suitable or null encryption is
used,
but exclude anonymous Diffie-Hellman
key change as
this is vulnerable to man-in-the-middle
attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<!-- Note: Connecton parameter causes problem if moved to
properties
file -->
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
</beans>
Thanks in advance,
Steve.
--
View this message in context:
http://old.nabble.com/CXF-TLS---CN-Hostname-mismatch---disableCNCheck-tp28056617p28056617.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com
