You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Bc. Jiří Mikulášek" <ji...@aura.cz> on 2007/12/03 13:28:10 UTC
Re: CRL support
Thanks a lot I will check it out
On Thursday 29 of November 2007 15:24:57 Fred Dushin wrote:
> See the http-conf:trustDecider in
>
> https://svn.apache.org/repos/asf/incubator/cxf/trunk/rt/transports/
> http/src/main/resources/schemas/configuration/http-conf.xsd
>
> You'll need to implement your own
> org.apache.cxf.transport.http.MessageTrustDecider, but this will get
> called when a connection is established. Unfortunately, because of
> the design of the Sun JSSE, this is not a hook into the handshake,
> but your trust decider should be called before any application data
> is sent down the pipe. That's the idea, at any rate.
>
> -Fred
>
> On Nov 28, 2007, at 4:26 PM, Bc. Jiří Mikulášek wrote:
> > thanks, because I really need CRL support is there any way how to
> > handle it on
> > my own - maybe use some interceptor, which will handle it before each
> > connection? If there is such possibility, please can somebody give
> > me few
> > basic hints, where to start what to care and so...?
> >
> > Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a):
> >> CXF does not have support for CRLs.
> >>
> >> On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote:
> >>> Hi all,
> >>> can somebody give me a hint how to configure or program CRL
> >>> (certificate
> >>> revocation list) checking before each SSL handshake.
> >>>
> >>> In detail:
> >>> I have this configuration on client:
> >>> <http-conf:conduit
> >>> name="{http://..../}portName.http-conduit">
> >>>
> >>> <http-conf:client AllowChunking="false" />
> >>> <http-conf:tlsClientParameters secureSocketProtocol="SSL">
> >>> <sec:trustManagers>
> >>> <sec:keyStore type="JKS" password="password"
> >>> url="someurl"/>
> >>> </sec:trustManagers>
> >>> <sec:keyManagers keyPassword="password">
> >>> <sec:keyStore type="JKS" password="password"
> >>> url="someurl"/>
> >>>
> >>> </sec:keyManagers>
> >>> </http-conf:tlsClientParameters>
> >>>
> >>> which causes ssl communication, but before each connection I would
> >>> like to
> >>> check all certificates i keystores for revocation according some
> >>> CRL on
> >>> filesystem
> >>>
> >>>
> >>> thanks for any advice
> >>> --
> >>> Jiri Mikulasek
> >>> ---------------------------------
> >>> Developer
> >>>
> >>> AURA, s.r.o.
> >>> Uvoz 499/56; 602 00 Brno
> >>> ISO 9001 certified company
> >>> AQAP 2110 (ČOS 051622)
> >>> tel./fax: +420 544 508 115
> >>> e-mail: mikulasek@aura.cz
> >>> http://www.aura.cz
> >>> ---------------------------------
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------