You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2017/10/23 17:57:38 UTC
svn commit: r1019972 - in /websites/production/cxf/content:
cache/docs.pageCache docs/tls-configuration.html
Author: buildbot
Date: Mon Oct 23 17:57:38 2017
New Revision: 1019972
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/tls-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/tls-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/tls-configuration.html (original)
+++ websites/production/cxf/content/docs/tls-configuration.html Mon Oct 23 17:57:38 2017
@@ -33,7 +33,6 @@
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -118,11 +117,11 @@ Apache CXF -- TLS Configuration
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1508777353891 {padding: 0px;}
-div.rbtoc1508777353891 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1508777353891 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1508781419389 {padding: 0px;}
+div.rbtoc1508781419389 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1508781419389 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1508777353891">
+/*]]>*/</style></p><div class="toc-macro rbtoc1508781419389">
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</a>
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li><li><a shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul>
</li><li><a shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a>
@@ -131,7 +130,7 @@ div.rbtoc1508777353891 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-ClientAuthentication">Client Authentication</a></li></ul>
</li></ul>
</div><h1 id="TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</h1><p>The TLS Parameters common to both Clients and Servers are given <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java">here</a>:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>keyManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Key Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key Managers to hold X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>tru
stManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Trust Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TrustManagers to validate peer X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>jsseProvider</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default provider associated with protocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JSSE provider name.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuites</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default cipher suites</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>CipherSuites that will be supported.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuitesFilter</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd
"><p>filters of the supported CipherSuites that will be supported and used if available.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>certConstraints</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Certificate Constraints specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureRandomParameters</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Secure Random</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SecureRandom specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureSocketProtocol</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>"TLS"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Protocol Name. Most common example are "SSL", "TLS" or "TLSv1".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><co
de>certAlias</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Cert alias to use. Useful when keystore has multiple certs.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><code>enableRevocation</code> <strong>CXF 3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd">"false"</td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies whether to enable revocation when checking the client/server certificate.</p><p>To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable").</p></td></tr></tbody></table></div><p> </p><p>Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.</p><h2 id="TLSConfiguration-KeyManagers">Key Managers</h2><p>The Key Managers c
onfiguration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Key Manager sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:keyManagers keyPassword="stskpass">
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
@@ -140,7 +139,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-TrustManagers">Trust Managers</h2><p>The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Trust Manager sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
@@ -149,7 +148,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</h2><p>The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
@@ -162,7 +161,7 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CertConstraints">Cert Constraints</h2><p>Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:certConstraints>
<sec:SubjectDNConstraints>
@@ -177,13 +176,13 @@ div.rbtoc1508777353891 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h1 id="TLSConfiguration-ClientTLSParameters">Client TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java">specific</a> to Clients:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>disableCNCheck</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Nam
e (CN) given in its certificate during requests, and failing if there is a mismatch. If set to <code>true</code> (<strong>not recommended for production use</strong>), such checks will be bypassed. That will allow you, for example, to use a URL such as <code>localhost</code> during development.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>sslSocketFactory</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A SSLSocketFactory to use. All other bean properties are ignored if this is set.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>sslCacheTimeout</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>86400 seconds (24 hours)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SSL Cache Timeout in seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>useHttpsURLConnectionDefaultSslSocketFactory</
code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()" rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a> should be used to create https connections. If '<code>true</code>', '<code>jsseProvider</code>', '<code>secureSocketProtocol</code>', '<code>trustManagers</code>', '<code>keyManagers</code>', '<code>secureRandom</code>', '<code>cipherSuites</code>' and '<code>cipherSuitesFilter</code>' configuration parameters are ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>useHttpsURLConnectionDefaultHostnameVerifier</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute s
pecifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()" rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a> should be used to create https connections. If '<code>true</code>', '<code>disableCNCheck</code>' configuration parameter is ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">hostnameVerifier</td><td colspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1" class="confluenceTd">A custom HostnameVerifier instance to use</td></tr></tbody></table></div><h2 id="TLSConfiguration-DisableCNCheck">Disable CN Check</h2><p><code>disableCNCheck</code> is a parameterized boolean, you can use a fixed variable <code>true</code>|<code>false</code> as well as a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconf
igurer" rel="nofollow">Spring externalized property</a> variable (e.g. <code>${disable-https-hostname-verification</code>}) or a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef" rel="nofollow">Spring expression</a> (e.g. <code>#{systemProperties['dev-mode']</code>}).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc)</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <!-- deactivate HTTPS url hostname verification (localhost, etc) -->
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <!-- deactivate HTTPS url hostname verification (localhost, etc) -->
<!-- WARNING ! disableCNcheck=true should NOT be used in production -->
<http-conf:tlsClientParameters disableCNCheck="true" />
...
</pre>
</div></div><h1 id="TLSConfiguration-ServerTLSParameters">Server TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java">specific</a> to Servers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>clientAuthentication</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Not "wanted" or "required"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Allows you to configure whether client authentication is "wanted" and/or "required.</p></td><
/tr><tr><td colspan="1" rowspan="1" class="confluenceTd">excludeProtocols</td><td colspan="1" rowspan="1" class="confluenceTd">SSLv3 is disabled by default for Jetty from CXF 3.0.3 + 2.7.14</td><td colspan="1" rowspan="1" class="confluenceTd">The TLS protocols to exclude.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">includeProtocols <strong>CXF 3.1.1/3.0.6</strong></td><td colspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1" class="confluenceTd">Allows you to add more protocols. For example, if you have a TLS protocol you could add support for "SSLv2Hello" here, for older clients.</td></tr></tbody></table></div><h2 id="TLSConfiguration-ClientAuthentication">Client Authentication</h2><p>This allows you to define whether client authentication is wanted and/or required.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Client Authentication sample</b></di
v><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
...
<sec:clientAuthentication want="true" required="true" />
...