You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jose María Zaragoza <de...@gmail.com> on 2015/03/02 16:32:53 UTC
Re: Check SSL server certificate
2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> Why not write a test-case for this scenario?
Done.
In b) mode ( i.e , only the issuer of server certificate is
stored in the truststore ) , when server certificated is expired ,
then client request throws an exception like :
Caused by: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateNotYetValidException:
NotBefore: Mon Mar 02 13:21:48 CET 2015
In a) mode ( i.e , the server certificate is stored in the
truststore ) , when server certificated is expired , then client
request doesn't throw any exception
I wonder if it's possible to disable time checking in b) mode
Thanks
>
> Colm.
>
> On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <de...@gmail.com>
> wrote:
>
>> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> But , what is a CA certificate chain for ? I would like don't have to
>> >> verify the trustability of a certificate manually before importing it.
>> >
>> > When you need to verify trust in a certificate, CXF essentially asks your
>> > truststore two questions:
>> >
>> > a) Is this certificate stored in the truststore (direct trust)
>> > b) Is the issuer of this certificate stored in the truststore, and is the
>> > cert chain correct, etc.
>>
>>
>>
>> Sorry ( again ), but one question more:
>>
>> what if I store the trusted CA certificates in ( ie, b mode ) but
>> server certificate has expired ?
>>
>> In a) mode , I know that it is deemed to be trusted , but I'm not sure
>> in b) mode
>>
>> Thanks
>>
>>
>>
>> >
>> > Obviously directly storing certificates in the truststore does not scale.
>> > It might be useful for some scenarios though. The normal way of doing
>> > things is to just store your trusted CA certs in there.
>> >
>> > Colm.
>> >
>> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <
>> demablogia@gmail.com>
>> > wrote:
>> >
>> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
>> >> > What is the concept of a "truststore" other than a collection of
>> trusted
>> >> > certificates? If you don't trust the certificate then don't put it in
>> >> > there... :-)
>> >>
>> >> Yes, it's true. :-)
>> >> But , what is a CA certificate chain for ? I would like don't have to
>> >> verify the trustability of a certificate manually before importing it.
>> >>
>> >> Regards
>> >>
>> >>
>> >>
>> >> >
>> >> > Colm.
>> >> >
>> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
>> >> demablogia@gmail.com>
>> >> > wrote:
>> >> >
>> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
>> >:
>> >> >> > No, if the certificate itself is in the truststore then it is
>> deemed
>> >> to
>> >> >> be
>> >> >> > trusted - the CA certificate does not need to be in there as well.
>> >> >> >
>> >> >> > Colm.
>> >> >>
>> >> >>
>> >> >> Thanks.
>> >> >> Is this the standard behaviour in JSSE ?
>> >> >> I think that it should be validated all CA in the chain, to be sure
>> >> >> the certificate is signed by trusted CA
>> >> >>
>> >> >>
>> >> >> >
>> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
>> >> >> demablogia@gmail.com>
>> >> >> > wrote:
>> >> >> >
>> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <
>> coheigea@apache.org
>> >> >:
>> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
>> >> >> >> > https://www.google.com. It works fine when you don't specify
>> any
>> >> >> >> > TLSClientParameters as expected, as it picks up the default
>> >> cacerts.
>> >> >> >> > However, when I added the following it fails (also as expected):
>> >> >> >> >
>> >> >> >> > <http:conduit name="https://.*">
>> >> >> >> > <http:tlsClientParameters disableCNCheck="true">
>> >> >> >> > <sec:trustManagers>
>> >> >> >> > <sec:keyStore type="jks" password="cspass"
>> >> >> >> > resource="clientstore.jks"/>
>> >> >> >> > </sec:trustManagers>
>> >> >> >> > </http:tlsClientParameters>
>> >> >> >> > </http:conduit>
>> >> >> >> >
>> >> >> >> > Colm.
>> >> >> >>
>> >> >> >> OK. That's right.
>> >> >> >> But , if you import Google certificate into clientstore.jks but
>> you
>> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
>> >> should
>> >> >> >> it fail ? This is my question
>> >> >> >> I don't know what is the validation path that JSSE follows
>> >> >> >>
>> >> >> >> Regards
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> >
>> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
>> >> >> >> demablogia@gmail.com>
>> >> >> >> > wrote:
>> >> >> >> >
>> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <
>> sberyozkin@gmail.com
>> >> >:
>> >> >> >> >> > What I meant is that you do use a self signed cert to sign a
>> >> >> >> previously
>> >> >> >> >> > generated certificate but do not import this self signed cert
>> >> into
>> >> >> the
>> >> >> >> >> > truststore which would emulate the same situation you have
>> now
>> >> >> without
>> >> >> >> >> > having to provide a test where well known providers sign a
>> given
>> >> >> >> server
>> >> >> >> >> > certificate.
>> >> >> >> >>
>> >> >> >> >> OK
>> >> >> >> >> I'll try it
>> >> >> >> >>
>> >> >> >> >> Thanks
>> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >> > Sergey
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
>> >> >> >> >> >>
>> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
>> >> sberyozkin@gmail.com
>> >> >> >:
>> >> >> >> >> >>>
>> >> >> >> >> >>> Hi
>> >> >> >> >> >>>
>> >> >> >> >> >>> I guess this is what Colm is implying, that the actual
>> problem
>> >> >> that
>> >> >> >> it
>> >> >> >> >> >>> does
>> >> >> >> >> >>> work.
>> >> >> >> >> >>> Can it be reproduced by a given server certificate with a
>> >> >> >> self-signed
>> >> >> >> >> >>> certificate validating it ?
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to
>> reproduce
>> >> it
>> >> >> .
>> >> >> >> >> >>
>> >> >> >> >> >> With a self signed certificate , the behaviour also is the
>> same
>> >> >> >> >> >> But that makes sense ( for me ) , because your CA is
>> yourself,
>> >> so
>> >> >> you
>> >> >> >> >> >> could trust on it ( if the certificate is imported into your
>> >> >> keystore
>> >> >> >> >> >> )
>> >> >> >> >> >>
>> >> >> >> >> >> Regards
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >>>
>> >> >> >> >> >>> Cheers, Sergey
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
>> >> >> >> coheigea@apache.org>:
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> It does, but only if no truststore has been configured in
>> >> CXF.
>> >> >> Do
>> >> >> >> you
>> >> >> >> >> >>>>> have a
>> >> >> >> >> >>>>> test-case that reproduces this problem?
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> Thanks, not really
>> >> >> >> >> >>>> Indeed, it's not a problem because my client works fine ,
>> >> but I
>> >> >> >> cannot
>> >> >> >> >> >>>> understand why. I only imported the server certificate, no
>> >> the
>> >> >> >> others
>> >> >> >> >> >>>> in chain
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> As I don't know how the underlying certificate validation
>> is
>> >> >> >> performed
>> >> >> >> >> >>>> , I don't know if this behaviour is caused by default
>> >> settings
>> >> >> in
>> >> >> >> CXF
>> >> >> >> >> >>>> or another reason.
>> >> >> >> >> >>>>
>> >> >> >> >> >>>> Regards
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> Colm.
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
>> >> >> >> >> >>>>> <de...@gmail.com>
>> >> >> >> >> >>>>> wrote:
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
>> >> >> >> coheigea@apache.org
>> >> >> >> >> >:
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> You are using "keyManagers" instead of "trustManagers"
>> in
>> >> the
>> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need to
>> >> >> specify a
>> >> >> >> key
>> >> >> >> >> >>>>>>> for
>> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to
>> verify
>> >> >> trust
>> >> >> >> in
>> >> >> >> >> the
>> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
>> >> configuration
>> >> >> >> here, I
>> >> >> >> >> >>>>>>> guess
>> >> >> >> >> >>>>>>> it is falling back on the default JVM settings
>> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> <sec:trustManagers>
>> >> >> >> >> >>>>>> <sec:keyStore type="JKS"
>> password="*******"
>> >> >> >> >> >>>>>> resource="truststore.jks"/>
>> >> >> >> >> >>>>>> </sec:trustManagers>
>> >> >> >> >> >>>>>> <sec:cipherSuitesFilter>
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
>> >> >> >> >> implementation )
>> >> >> >> >> >>>>>> uses default JVM truststore for checking certificates ?
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>> Thanks
>> >> >> >> >> >>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> Colm.
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza
>> >> >> >> >> >>>>>>> <de...@gmail.com>
>> >> >> >> >> >>>>>>> wrote:
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>> Hello:
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
>> >> >> understand
>> >> >> >> why
>> >> >> >> >> my
>> >> >> >> >> >>>>>>>> client works.
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS
>> (SSL
>> >> >> /TLS)
>> >> >> >> >> >>>>>>>> This is my settings:
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
>> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
>> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
>> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx"
>> >> >> >> >> >>>>>>>> resource="truststore.jks"/>
>> >> >> >> >> >>>>>>>> </sec:keyManagers>
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> I've imported SSL server certificate into
>> truststore.jks
>> >> >> >> >> >>>>>>>> And it works fine.
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain ( from .
>> >> >> >> godaddy.com)
>> >> >> >> >> ,
>> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any certificate
>> >> from
>> >> >> >> godaddy
>> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate ?
>> >> >> >> >> >>>>>>>> Is not performed some Certification Path Validation
>> >> >> process ?
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>> Thanks and regards
>> >> >> >> >> >>>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> --
>> >> >> >> >> >>>>>>> Colm O hEigeartaigh
>> >> >> >> >> >>>>>>>
>> >> >> >> >> >>>>>>> Talend Community Coder
>> >> >> >> >> >>>>>>> http://coders.talend.com
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> --
>> >> >> >> >> >>>>> Colm O hEigeartaigh
>> >> >> >> >> >>>>>
>> >> >> >> >> >>>>> Talend Community Coder
>> >> >> >> >> >>>>> http://coders.talend.com
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>>
>> >> >> >> >> >>> --
>> >> >> >> >> >>> Sergey Beryozkin
>> >> >> >> >> >>>
>> >> >> >> >> >>> Talend Community Coders
>> >> >> >> >> >>> http://coders.talend.com/
>> >> >> >> >> >>>
>> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >>
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > Colm O hEigeartaigh
>> >> >> >> >
>> >> >> >> > Talend Community Coder
>> >> >> >> > http://coders.talend.com
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Colm O hEigeartaigh
>> >> >> >
>> >> >> > Talend Community Coder
>> >> >> > http://coders.talend.com
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
Re: Check SSL server certificate
Posted by Colm O hEigeartaigh <co...@apache.org>.
> I wonder if it's possible to disable time checking in b) mode
It's not possible, at least without doing a good bit of custom work.
Colm.
On Mon, Mar 2, 2015 at 3:32 PM, Jose María Zaragoza <de...@gmail.com>
wrote:
> 2015-02-27 14:58 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> > Why not write a test-case for this scenario?
>
> Done.
>
> In b) mode ( i.e , only the issuer of server certificate is
> stored in the truststore ) , when server certificated is expired ,
> then client request throws an exception like :
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateNotYetValidException:
> NotBefore: Mon Mar 02 13:21:48 CET 2015
>
> In a) mode ( i.e , the server certificate is stored in the
> truststore ) , when server certificated is expired , then client
> request doesn't throw any exception
>
>
> I wonder if it's possible to disable time checking in b) mode
>
>
>
> Thanks
>
>
>
>
> >
> > Colm.
> >
> > On Fri, Feb 27, 2015 at 1:35 PM, Jose María Zaragoza <
> demablogia@gmail.com>
> > wrote:
> >
> >> 2015-02-27 12:22 GMT+01:00 Colm O hEigeartaigh <co...@apache.org>:
> >> >> But , what is a CA certificate chain for ? I would like don't have to
> >> >> verify the trustability of a certificate manually before importing
> it.
> >> >
> >> > When you need to verify trust in a certificate, CXF essentially asks
> your
> >> > truststore two questions:
> >> >
> >> > a) Is this certificate stored in the truststore (direct trust)
> >> > b) Is the issuer of this certificate stored in the truststore, and is
> the
> >> > cert chain correct, etc.
> >>
> >>
> >>
> >> Sorry ( again ), but one question more:
> >>
> >> what if I store the trusted CA certificates in ( ie, b mode ) but
> >> server certificate has expired ?
> >>
> >> In a) mode , I know that it is deemed to be trusted , but I'm not sure
> >> in b) mode
> >>
> >> Thanks
> >>
> >>
> >>
> >> >
> >> > Obviously directly storing certificates in the truststore does not
> scale.
> >> > It might be useful for some scenarios though. The normal way of doing
> >> > things is to just store your trusted CA certs in there.
> >> >
> >> > Colm.
> >> >
> >> > On Fri, Feb 27, 2015 at 10:47 AM, Jose María Zaragoza <
> >> demablogia@gmail.com>
> >> > wrote:
> >> >
> >> >> 2015-02-27 11:28 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org
> >:
> >> >> > What is the concept of a "truststore" other than a collection of
> >> trusted
> >> >> > certificates? If you don't trust the certificate then don't put it
> in
> >> >> > there... :-)
> >> >>
> >> >> Yes, it's true. :-)
> >> >> But , what is a CA certificate chain for ? I would like don't have to
> >> >> verify the trustability of a certificate manually before importing
> it.
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >> > Colm.
> >> >> >
> >> >> > On Fri, Feb 27, 2015 at 10:22 AM, Jose María Zaragoza <
> >> >> demablogia@gmail.com>
> >> >> > wrote:
> >> >> >
> >> >> >> 2015-02-27 11:06 GMT+01:00 Colm O hEigeartaigh <
> coheigea@apache.org
> >> >:
> >> >> >> > No, if the certificate itself is in the truststore then it is
> >> deemed
> >> >> to
> >> >> >> be
> >> >> >> > trusted - the CA certificate does not need to be in there as
> well.
> >> >> >> >
> >> >> >> > Colm.
> >> >> >>
> >> >> >>
> >> >> >> Thanks.
> >> >> >> Is this the standard behaviour in JSSE ?
> >> >> >> I think that it should be validated all CA in the chain, to be
> sure
> >> >> >> the certificate is signed by trusted CA
> >> >> >>
> >> >> >>
> >> >> >> >
> >> >> >> > On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <
> >> >> >> demablogia@gmail.com>
> >> >> >> > wrote:
> >> >> >> >
> >> >> >> >> 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <
> >> coheigea@apache.org
> >> >> >:
> >> >> >> >> > I did a quick test using CXF's WebClient doing a "GET" on
> >> >> >> >> > https://www.google.com. It works fine when you don't specify
> >> any
> >> >> >> >> > TLSClientParameters as expected, as it picks up the default
> >> >> cacerts.
> >> >> >> >> > However, when I added the following it fails (also as
> expected):
> >> >> >> >> >
> >> >> >> >> > <http:conduit name="https://.*">
> >> >> >> >> > <http:tlsClientParameters disableCNCheck="true">
> >> >> >> >> > <sec:trustManagers>
> >> >> >> >> > <sec:keyStore type="jks" password="cspass"
> >> >> >> >> > resource="clientstore.jks"/>
> >> >> >> >> > </sec:trustManagers>
> >> >> >> >> > </http:tlsClientParameters>
> >> >> >> >> > </http:conduit>
> >> >> >> >> >
> >> >> >> >> > Colm.
> >> >> >> >>
> >> >> >> >> OK. That's right.
> >> >> >> >> But , if you import Google certificate into clientstore.jks but
> >> you
> >> >> >> >> don't import its CA certificate ( GeoTrust CA , in this case ),
> >> >> should
> >> >> >> >> it fail ? This is my question
> >> >> >> >> I don't know what is the validation path that JSSE follows
> >> >> >> >>
> >> >> >> >> Regards
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza <
> >> >> >> >> demablogia@gmail.com>
> >> >> >> >> > wrote:
> >> >> >> >> >
> >> >> >> >> >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <
> >> sberyozkin@gmail.com
> >> >> >:
> >> >> >> >> >> > What I meant is that you do use a self signed cert to
> sign a
> >> >> >> >> previously
> >> >> >> >> >> > generated certificate but do not import this self signed
> cert
> >> >> into
> >> >> >> the
> >> >> >> >> >> > truststore which would emulate the same situation you have
> >> now
> >> >> >> without
> >> >> >> >> >> > having to provide a test where well known providers sign a
> >> given
> >> >> >> >> server
> >> >> >> >> >> > certificate.
> >> >> >> >> >>
> >> >> >> >> >> OK
> >> >> >> >> >> I'll try it
> >> >> >> >> >>
> >> >> >> >> >> Thanks
> >> >> >> >> >>
> >> >> >> >> >> >
> >> >> >> >> >> > Sergey
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >> > On 26/02/15 18:51, Jose María Zaragoza wrote:
> >> >> >> >> >> >>
> >> >> >> >> >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <
> >> >> sberyozkin@gmail.com
> >> >> >> >:
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Hi
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> I guess this is what Colm is implying, that the actual
> >> problem
> >> >> >> that
> >> >> >> >> it
> >> >> >> >> >> >>> does
> >> >> >> >> >> >>> work.
> >> >> >> >> >> >>> Can it be reproduced by a given server certificate with
> a
> >> >> >> >> self-signed
> >> >> >> >> >> >>> certificate validating it ?
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >> Well, I don't have a testcase right now. I'll try to
> >> reproduce
> >> >> it
> >> >> >> .
> >> >> >> >> >> >>
> >> >> >> >> >> >> With a self signed certificate , the behaviour also is
> the
> >> same
> >> >> >> >> >> >> But that makes sense ( for me ) , because your CA is
> >> yourself,
> >> >> so
> >> >> >> you
> >> >> >> >> >> >> could trust on it ( if the certificate is imported into
> your
> >> >> >> keystore
> >> >> >> >> >> >> )
> >> >> >> >> >> >>
> >> >> >> >> >> >> Regards
> >> >> >> >> >> >>
> >> >> >> >> >> >>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Cheers, Sergey
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote:
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> >> coheigea@apache.org>:
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> It does, but only if no truststore has been
> configured in
> >> >> CXF.
> >> >> >> Do
> >> >> >> >> you
> >> >> >> >> >> >>>>> have a
> >> >> >> >> >> >>>>> test-case that reproduces this problem?
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> Thanks, not really
> >> >> >> >> >> >>>> Indeed, it's not a problem because my client works
> fine ,
> >> >> but I
> >> >> >> >> cannot
> >> >> >> >> >> >>>> understand why. I only imported the server
> certificate, no
> >> >> the
> >> >> >> >> others
> >> >> >> >> >> >>>> in chain
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> As I don't know how the underlying certificate
> validation
> >> is
> >> >> >> >> performed
> >> >> >> >> >> >>>> , I don't know if this behaviour is caused by default
> >> >> settings
> >> >> >> in
> >> >> >> >> CXF
> >> >> >> >> >> >>>> or another reason.
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>> Regards
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> Colm.
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza
> >> >> >> >> >> >>>>> <de...@gmail.com>
> >> >> >> >> >> >>>>> wrote:
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh <
> >> >> >> >> coheigea@apache.org
> >> >> >> >> >> >:
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> You are using "keyManagers" instead of
> "trustManagers"
> >> in
> >> >> the
> >> >> >> >> >> >>>>>>> configuration. "keyManagers" is used when you need
> to
> >> >> >> specify a
> >> >> >> >> key
> >> >> >> >> >> >>>>>>> for
> >> >> >> >> >> >>>>>>> client authentication. "trustManagers" is used to
> >> verify
> >> >> >> trust
> >> >> >> >> in
> >> >> >> >> >> the
> >> >> >> >> >> >>>>>>> server's cert. As you have no "trustManagers"
> >> >> configuration
> >> >> >> >> here, I
> >> >> >> >> >> >>>>>>> guess
> >> >> >> >> >> >>>>>>> it is falling back on the default JVM settings
> >> >> >> >> >> >>>>>>> (javax.net.ssl.trustStore)
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Sorry, it was a typo. I'm using trustManagers
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> <sec:trustManagers>
> >> >> >> >> >> >>>>>> <sec:keyStore type="JKS"
> >> password="*******"
> >> >> >> >> >> >>>>>> resource="truststore.jks"/>
> >> >> >> >> >> >>>>>> </sec:trustManagers>
> >> >> >> >> >> >>>>>> <sec:cipherSuitesFilter>
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS
> >> >> >> >> >> implementation )
> >> >> >> >> >> >>>>>> uses default JVM truststore for checking
> certificates ?
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>> Thanks
> >> >> >> >> >> >>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> Colm.
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María
> Zaragoza
> >> >> >> >> >> >>>>>>> <de...@gmail.com>
> >> >> >> >> >> >>>>>>> wrote:
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>> Hello:
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> Maybe this question a bit off topic , but I try to
> >> >> >> understand
> >> >> >> >> why
> >> >> >> >> >> my
> >> >> >> >> >> >>>>>>>> client works.
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by
> HTTPS
> >> (SSL
> >> >> >> /TLS)
> >> >> >> >> >> >>>>>>>> This is my settings:
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> <http-conf:conduit name="https://.*">
> >> >> >> >> >> >>>>>>>> <http-conf:tlsClientParameters>
> >> >> >> >> >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx">
> >> >> >> >> >> >>>>>>>> <sec:keyStore type="JKS"
> password="xxxxxxxx"
> >> >> >> >> >> >>>>>>>> resource="truststore.jks"/>
> >> >> >> >> >> >>>>>>>> </sec:keyManagers>
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> I've imported SSL server certificate into
> >> truststore.jks
> >> >> >> >> >> >>>>>>>> And it works fine.
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> But this certificate is signed by a CA chain (
> from .
> >> >> >> >> godaddy.com)
> >> >> >> >> >> ,
> >> >> >> >> >> >>>>>>>> and ( I think ) I don't have imported any
> certificate
> >> >> from
> >> >> >> >> godaddy
> >> >> >> >> >> >>>>>>>> Why does my client trust in the server certificate
> ?
> >> >> >> >> >> >>>>>>>> Is not performed some Certification Path
> Validation
> >> >> >> process ?
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>> Thanks and regards
> >> >> >> >> >> >>>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> --
> >> >> >> >> >> >>>>>>> Colm O hEigeartaigh
> >> >> >> >> >> >>>>>>>
> >> >> >> >> >> >>>>>>> Talend Community Coder
> >> >> >> >> >> >>>>>>> http://coders.talend.com
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> --
> >> >> >> >> >> >>>>> Colm O hEigeartaigh
> >> >> >> >> >> >>>>>
> >> >> >> >> >> >>>>> Talend Community Coder
> >> >> >> >> >> >>>>> http://coders.talend.com
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> --
> >> >> >> >> >> >>> Sergey Beryozkin
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Talend Community Coders
> >> >> >> >> >> >>> http://coders.talend.com/
> >> >> >> >> >> >>>
> >> >> >> >> >> >>> Blog: http://sberyozkin.blogspot.com
> >> >> >> >> >> >
> >> >> >> >> >> >
> >> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > --
> >> >> >> >> > Colm O hEigeartaigh
> >> >> >> >> >
> >> >> >> >> > Talend Community Coder
> >> >> >> >> > http://coders.talend.com
> >> >> >> >>
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > --
> >> >> >> > Colm O hEigeartaigh
> >> >> >> >
> >> >> >> > Talend Community Coder
> >> >> >> > http://coders.talend.com
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Colm O hEigeartaigh
> >> >> >
> >> >> > Talend Community Coder
> >> >> > http://coders.talend.com
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> Talend Community Coder
> >> http://coders.talend.com
> >>
> >>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com