RE: I need to encrypt xmlrpc calls

[John Southerland]

The client code needed to automagically connect to a self signed cert is not as straight forward as one may hope. I feel compelled to share this code, it was the vain of my existence for several days: (One or more of these may be needed for the code snapshot to compile; I have more code supporting an older version buried within my app, so pick and choose) import java.security.*; import java.security.spec.*; import java.security.cert.*; import javax.crypto.*; import org.apache.xmlrpc.*; import org.apache.xmlrpc.secure.*; import javax.net.ssl.SSLSocketFactory; import com.sun.net.ssl.*;           private class WorkAroundX509TrustManager implements X509TrustManager {             public boolean isClientTrusted(X509Certificate[] chain){ return true; }                 public boolean isServerTrusted(X509Certificate[] chain){ return true; }                 public X509Certificate[] getAcceptedIssuers(){ return null; }         }           private class WorkAroundHostnameVerifier implements HostnameVerifier {                 public boolean verify(String hostname, String session) { return true; }         } if (host.url.startsWith("https:")) {                                 Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());                                 System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");                                 X509TrustManager tm = new WorkAroundX509TrustManager();                                 KeyManager []km = null;                                 TrustManager []tma = {tm};                                 HostnameVerifier hmv = new WorkAroundHostnameVerifier();                                 SSLContext sc = SSLContext.getInstance("ssl");                                 sc.init(km,tma,new java.security.SecureRandom());                                 SSLSocketFactory sf1 = sc.getSocketFactory();                                 HttpsURLConnection.setDefaultSSLSocketFactory(sf1);                                 HttpsURLConnection.setDefaultHostnameVerifier(hmv);                                 NetPermission np = new NetPermission("setDefaultAuthenticator");                                 this.secureClient = new SecureXmlRpcClient(host.url);                                 this.secureClient.setBasicAuthentication(host.user, host.getPass());                                 this.secure=true;                         }else{                                 this.client = new XmlRpcClient(host.url);                                 this.client.setBasicAuthentication(host.user, host.getPass());                                 this.secure=false;                         }   The server is too easy of course:                                 logger.info("Starting HTTPS Server with keystore: " + config.keyfile);                                 SecurityTool.setKeyStore(config.keyfile);                                 SecurityTool.setKeyStorePassword("YourKeyStorePasswordHere");                                 SecureWebServer server = new SecureWebServer(config.port);   Please forgive my usurping of the secure routines, I am not so worried about the encryption layer, I have control of the server and the clients for this app. I know the errors generated from hitting a self signed cert are more than a little annoying though for some system programmers.  Bits and pieces of this are documented somewhere, but who has the time.  Please spare me the debate about not signing your own keys, it will fail to stir the emotions you may hope in me. It is a pleasure to finally be able to contribute a sober message on this list. Good Luck, John   PS: I would like to note that I used to encrypt data on the wire before converting to XmlRpc and it was not fun, nor was the speed any better.  In fact I believe ssl to be one of the fastest encryption protocols available today.  My two cents.     John Buren Southerland Southerland Consulting 801.467.8090(office) 214.734.8099(cell) [EMAIL PROTECTED] From: Nicolas Hoibian [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 8:54 AM To: xmlrpc-user@ws.apache.org Subject: Re: I need to encrypt xmlrpc calls   Sorry about the reply order. The correct sentence is : "I think i did encrypt communications" , using SSL and the tools provided with the xmlrpc classes. The client parameters are a bit more complicated. I'll post the code on this ml if you're interrested. Nicolas Hoibian 2005/9/21, Nicolas Hoibian <[EMAIL PROTECTED]>:   2005/9/21, Tino Wildenhain <[EMAIL PROTECTED]>: Starsscream Desepticon schrieb: > Hello > > How do you encrypt XmlRpc messages? I've had a look at > Xml Security, but it is for encrypting/signing Xml > messages (documents). When using XmlRpc I don't touch > Xml directly. So is there a way of making my XmlRpc > methods save? XMLRPC works over HTTP, so you usually just encrypt the transport channel, meaning you use https (ssl). HTH Tino I think i did so, using the Security Tool provided with xmlrpc and some black magic java keystore //code in main : SecurityTool.setKeyStore("keystoreFile"); SecurityTool.setTrustStore("keystoreFile"); SecurityTool.setKeyStorePassword("keystorePassword"); SecurityTool.setTrustStorePassword("keystorePassword");             server = new SecureWebServer(port); server.addHandler("$default", handler); server.start(); //code end correct me if i m wrong, please. Nicolas Hoibian