Hi, Thanks for the response Freeman. I got it working today - things are easier when it's not 2am. I went back to the beginning and recreated my certificates and now it works.
Now all I need is to be able to see the header properties in camel and I'll be set ;) Thanks again, Steve. Freeman Fang wrote: > > Hi, > > Not exactly sure why disableCNCheck doesn't work for you, seems the > configuration is correct. > I guess what you change didn't get picked up? How you test your SA? > And disableCNCheck usually used during development period which means > you can use URL such as localhost during development, and that's not > match the CN on server. > > You may need take a look at how to configure cxf client https[1], and > we also have CxfBcProviderHttpsTest[2] which I believe exactly same as > your scenario, this test aslo use disableCNCheck, please check this > example, it may help you. > > [1]http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html > [2]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderHttpsTest.java > > Freeman > On 2010-3-28, at 上午9:08, slew77 wrote: > >> >> Hi, >> >> Really hope someone can help me as it's driving me mad!!! >> >> I'm trying to enable TLS for a web service call invoked using a CXF >> provider. >> >> I've setup an http-conduit on the client, but I get an error back: >> >> "The https URL hostname does not match the Common Name (CN) on the >> server >> certificate. To disable this check (NOT recommended for production) >> set the >> CXF client TLS configuration property "disableCNCheck" to true" >> >> For this test I've generated the certificates myself and have tried >> various >> cn's, but I still get the error. >> >> Finally, I tried setting disableCNCheck=true, but I still get the same >> error. >> >> Please can someone tell me how to check what hostname and cn is being >> compared? Also, if anyone knows why I can't get disableCNCheck to >> work, I'd >> be grateful too. >> >> I'm using version 2.2.6 of CXF. >> >> This is my SSL config: >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:sec="http://cxf.apache.org/configuration/security"; >> xmlns:http="http://cxf.apache.org/transports/http/configuration"; >> xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"; >> xsi:schemaLocation="http://cxf.apache.org/configuration/security >> >> http://cxf.apache.org/schemas/configuration/security.xsd >> >> http://cxf.apache.org/transports/http/configuration >> >> http://cxf.apache.org/schemas/configuration/http-conf.xsd >> >> http://www.springframework.org/schema/beans >> >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> >> >> <http:conduit >> name="{http://www.demo.com/DS/1.0}SendDS_pttBinding.http-conduit";> >> >> <http:tlsClientParameters secureSocketProtocol="TLS" >> disableCNCheck="true"> >> <sec:keyManagers keyPassword="abcdefg"> >> <sec:keyStore type="JKS" password="abcdefg" >> file="X:/Certs/MiGLocalKeyStore.jks"/> >> </sec:keyManagers> >> <sec:trustManagers> >> <sec:keyStore type="JKS" password="abcdefg" >> file="X:/Certs/MiGLocalKeyStore.jks"/> >> </sec:trustManagers> >> <sec:cipherSuitesFilter> >> <!-- these filters ensure that a ciphersuite with >> export-suitable or null encryption is >> used, >> but exclude anonymous Diffie-Hellman >> key change as >> this is vulnerable to man-in-the-middle >> attacks --> >> <sec:include>.*_EXPORT_.*</sec:include> >> <sec:include>.*_EXPORT1024_.*</sec:include> >> <sec:include>.*_WITH_DES_.*</sec:include> >> <sec:include>.*_WITH_NULL_.*</sec:include> >> <sec:exclude>.*_DH_anon_.*</sec:exclude> >> </sec:cipherSuitesFilter> >> </http:tlsClientParameters> >> >> <!-- Note: Connecton parameter causes problem if moved to >> properties >> file --> >> <http:client AutoRedirect="true" Connection="Keep-Alive"/> >> >> </http:conduit> >> >> </beans> >> >> Thanks in advance, >> Steve. >> >> -- >> View this message in context: >> http://old.nabble.com/CXF-TLS---CN-Hostname-mismatch---disableCNCheck-tp28056617p28056617.html >> Sent from the ServiceMix - User mailing list archive at Nabble.com. >> > > > -- > Freeman Fang > ------------------------ > Open Source SOA: http://fusesource.com > > > -- View this message in context: http://old.nabble.com/CXF-TLS---CN-Hostname-mismatch---disableCNCheck-tp28056617p28058076.html Sent from the ServiceMix - User mailing list archive at Nabble.com.
