You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2018/10/03 09:58:12 UTC
svn commit: r1036064 - in /websites/production/cxf/content:
cache/docs.pageCache docs/tls-configuration.html
Author: buildbot
Date: Wed Oct 3 09:58:11 2018
New Revision: 1036064
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/tls-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/tls-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/tls-configuration.html (original)
+++ websites/production/cxf/content/docs/tls-configuration.html Wed Oct 3 09:58:11 2018
@@ -117,11 +117,11 @@ Apache CXF -- TLS Configuration
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1524513393191 {padding: 0px;}
-div.rbtoc1524513393191 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1524513393191 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1538560651783 {padding: 0px;}
+div.rbtoc1538560651783 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1538560651783 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1524513393191">
+/*]]>*/</style></p><div class="toc-macro rbtoc1538560651783">
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</a>
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li><li><a shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul>
</li><li><a shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a>
@@ -129,8 +129,8 @@ div.rbtoc1524513393191 li {margin-left:
</li><li><a shape="rect" href="#TLSConfiguration-ServerTLSParameters">Server TLS Parameters</a>
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-ClientAuthentication">Client Authentication</a></li></ul>
</li></ul>
-</div><h1 id="TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</h1><p>The TLS Parameters common to both Clients and Servers are given <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java">here</a>:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>keyManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Key Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key Managers to hold X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>tru
stManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Trust Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TrustManagers to validate peer X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>jsseProvider</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default provider associated with protocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JSSE provider name.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuites</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default cipher suites</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>CipherSuites that will be supported.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuitesFilter</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd
"><p>filters of the supported CipherSuites that will be supported and used if available.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>certConstraints</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Certificate Constraints specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureRandomParameters</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Secure Random</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SecureRandom specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureSocketProtocol</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>"TLS"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Protocol Name. Most common example are "SSL", "TLS" or "TLSv1".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><co
de>certAlias</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Cert alias to use. Useful when keystore has multiple certs.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><code>enableRevocation</code> <strong>CXF 3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd">"false"</td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies whether to enable revocation when checking the client/server certificate.</p><p>To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable").</p></td></tr></tbody></table></div><p> </p><p>Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.</p><h2 id="TLSConfiguration-KeyManagers">Key Managers</h2><p>The Key Managers c
onfiguration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Key Manager sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+</div><h1 id="TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</h1><p>The TLS Parameters common to both Clients and Servers are given <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java">here</a>:</p><div class="table-wrap"><table class="confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>keyManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Key Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key Managers to hold X509 certificates.</p></t
d></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>trustManagers</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Trust Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TrustManagers to validate peer X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>jsseProvider</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default provider associated with protocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JSSE provider name.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuites</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default cipher suites</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>CipherSuites that will be supported.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>cipherSuitesFilter</code></p></td><td colspan="1" rowspan="1" class="conflue
nceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>filters of the supported CipherSuites that will be supported and used if available.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>certConstraints</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Certificate Constraints specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureRandomParameters</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Secure Random</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SecureRandom specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>secureSocketProtocol</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>"TLS"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Protocol Name. For example: "TLS", "TLSv1.2", "TLSv1.3".</p></td
></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>certAlias</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Cert alias to use. Useful when keystore has multiple certs.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><code>enableRevocation</code> <strong>CXF 3.1.11</strong></td><td colspan="1" rowspan="1" class="confluenceTd">"false"</td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies whether to enable revocation when checking the client/server certificate.</p><p>To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable").</p></td></tr></tbody></table></div><p> </p><p>Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.</p><h2 id="TLS
Configuration-KeyManagers">Key Managers</h2><p>The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Key Manager sample</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:keyManagers keyPassword="stskpass">
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
@@ -139,7 +139,7 @@ div.rbtoc1524513393191 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-TrustManagers">Trust Managers</h2><p>The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Trust Manager sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
@@ -148,7 +148,7 @@ div.rbtoc1524513393191 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</h2><p>The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
@@ -161,7 +161,7 @@ div.rbtoc1524513393191 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h2 id="TLSConfiguration-CertConstraints">Cert Constraints</h2><p>Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:certConstraints>
<sec:SubjectDNConstraints>
@@ -176,13 +176,13 @@ div.rbtoc1524513393191 li {margin-left:
</httpj:tlsServerParameters>
</pre>
</div></div><h1 id="TLSConfiguration-ClientTLSParameters">Client TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java">specific</a> to Clients:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>disableCNCheck</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Nam
e (CN) given in its certificate during requests, and failing if there is a mismatch. If set to <code>true</code> (<strong>not recommended for production use</strong>), such checks will be bypassed. That will allow you, for example, to use a URL such as <code>localhost</code> during development.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>sslSocketFactory</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A SSLSocketFactory to use. All other bean properties are ignored if this is set.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>sslCacheTimeout</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>86400 seconds (24 hours)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SSL Cache Timeout in seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>useHttpsURLConnectionDefaultSslSocketFactory</
code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()" rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a> should be used to create https connections. If '<code>true</code>', '<code>jsseProvider</code>', '<code>secureSocketProtocol</code>', '<code>trustManagers</code>', '<code>keyManagers</code>', '<code>secureRandom</code>', '<code>cipherSuites</code>' and '<code>cipherSuitesFilter</code>' configuration parameters are ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>useHttpsURLConnectionDefaultHostnameVerifier</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute s
pecifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()" rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a> should be used to create https connections. If '<code>true</code>', '<code>disableCNCheck</code>' configuration parameter is ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">hostnameVerifier</td><td colspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1" class="confluenceTd">A custom HostnameVerifier instance to use</td></tr></tbody></table></div><h2 id="TLSConfiguration-DisableCNCheck">Disable CN Check</h2><p><code>disableCNCheck</code> is a parameterized boolean, you can use a fixed variable <code>true</code>|<code>false</code> as well as a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconf
igurer" rel="nofollow">Spring externalized property</a> variable (e.g. <code>${disable-https-hostname-verification</code>}) or a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef" rel="nofollow">Spring expression</a> (e.g. <code>#{systemProperties['dev-mode']</code>}).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc)</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <!-- deactivate HTTPS url hostname verification (localhost, etc) -->
+<pre class="brush: xml; gutter: false; theme: Default"> <!-- deactivate HTTPS url hostname verification (localhost, etc) -->
<!-- WARNING ! disableCNcheck=true should NOT be used in production -->
<http-conf:tlsClientParameters disableCNCheck="true" />
...
</pre>
</div></div><h1 id="TLSConfiguration-ServerTLSParameters">Server TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java">specific</a> to Servers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code>clientAuthentication</code></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Not "wanted" or "required"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Allows you to configure whether client authentication is "wanted" and/or "required.</p></td><
/tr><tr><td colspan="1" rowspan="1" class="confluenceTd">excludeProtocols</td><td colspan="1" rowspan="1" class="confluenceTd">SSLv3 is disabled by default for Jetty from CXF 3.0.3 + 2.7.14</td><td colspan="1" rowspan="1" class="confluenceTd">The TLS protocols to exclude.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">includeProtocols <strong>CXF 3.1.1/3.0.6</strong></td><td colspan="1" rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1" class="confluenceTd">Allows you to add more protocols. For example, if you have a TLS protocol you could add support for "SSLv2Hello" here, for older clients.</td></tr></tbody></table></div><h2 id="TLSConfiguration-ClientAuthentication">Client Authentication</h2><p>This allows you to define whether client authentication is wanted and/or required.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Client Authentication sample</b></di
v><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> <httpj:tlsServerParameters>
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:clientAuthentication want="true" required="true" />
...