You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/03/31 14:13:00 UTC

[jira] [Created] (CXF-8253) Provide a way to disable TLS trust verification for the OSGi HttpConduitConfigApplier

Colm O hEigeartaigh created CXF-8253:
----------------------------------------

             Summary: Provide a way to disable TLS trust verification for the OSGi HttpConduitConfigApplier
                 Key: CXF-8253
                 URL: https://issues.apache.org/jira/browse/CXF-8253
             Project: CXF
          Issue Type: Improvement
            Reporter: Colm O hEigeartaigh
            Assignee: Colm O hEigeartaigh
             Fix For: 3.4.0, 3.3.7


When configuring TLS using properties in an OSGi container via HttpConduitConfigApplier, there is no easy way to disable TLS trust verification (for testing). For Spring + Blueprint it's easy enough to configure an insecure Trust Manager implementation, for example:

 
{code:java}
<bean id="trustManagers" class="org.apache.cxf.transport.https.InsecureTrustManager" factory-method="getNoOpX509TrustManagers"/>

<http:conduit name="https://localhost:.*">
    <http:tlsClientParameters disableCNCheck="true">
        <sec:trustManagers ref="trustManagers" />
    </http:tlsClientParameters>
</http:conduit>
{code}
This task is to add a new configuration property called "trustManagers.disableTrustVerification", which if set to "true" will call InsecureTrustManager.getNoOpX509TrustManagers under the hood, to disable TLS trust verification.

Obviously this is insecure and should only be used for testing! InsecureTrustManager prints a LOG along these lines at warning level.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)