You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@axis.apache.org by Vivian Wang <vi...@yahoo.com> on 2008/10/29 05:05:30 UTC

a HTTPS/SSL question

Hi, there,

I have a web service client using axis2/c to access a Salesforce.com web site that is protected with SSL (the url starts with https://). I didn't give a certificate chain file path in the configuration file axis2.xml, so the web service client failed. However, if I use soapUI (a free downloaded web service testing tool) to access the same serivce without giving any SSL related setting (just like accessing a service starting with http://), it all goes fine. What is the difference here? Is there any setting I can do in axis2/c to make it work as soapUI?

I noticed another similar thing. When a wsdl parser (from axis-j 1.4) tring to retrieve a SSL-protected wsdl (I set it up in TOMCAT) using a URL that starts with https:, I have a provide a client keystore (using jsse system.setProperty(....)) otherwise I will get an error saying something like trustedstore not found, but soapUI was just fine loading the same wsdl. What's really going on?

Any help is much appreciated!

Vivian

   


      

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org

Re: a HTTPS/SSL question

Posted by Uthaiyashankar <sh...@wso2.com>.
Dmitry Goncharov wrote:
> Hi,
>
>
> Dumindu Pallewela wrote:
>> Anyway, if it is only for testing, what you can do is to follow the 
>> Axis2/C manual and retrieve the server cert from the server. [1] 
>> (refer to sec. 13.1.2 Configuration). Well you can do this even if it 
>> was not for testing, but it is not recommended to do so.
>>
>> Thanks,
>> Dumindu.
> Why is this not recommended?

What the manual says is, get the certificate from the end point and set 
it as CA certificate. In this case, you are excluding the trust 
verification, or you are doing it manually, which is not recommended, 
since any intruders can impersonate the service (e.g by /DNS Spoofing)/ 
and issue the certificate and thereby get your secret details.

Regards,
Shankar.
>
> Thanks, Dmitry
>


-- 
S.Uthaiyashankar
Software Architect
WSO2 Inc. 
http://wso2.com/ - "The Open Source SOA Company" 


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org

Re: a HTTPS/SSL question

Posted by Dmitry Goncharov <dg...@unison.com>.
Hi,


Dumindu Pallewela wrote:
> Anyway, if it is only for testing, what you can do is to follow the 
> Axis2/C manual and retrieve the server cert from the server. [1] 
> (refer to sec. 13.1.2 Configuration). Well you can do this even if it 
> was not for testing, but it is not recommended to do so.
>
> Thanks,
> Dumindu.
Why is this not recommended?

Thanks, Dmitry

Re: a HTTPS/SSL question

Posted by Dumindu Pallewela <pa...@gmail.com>.
Hi Vivian,
Please find my comment inline:

On Wed, Oct 29, 2008 at 11:44 PM, Vivian Wang <vi...@yahoo.com>wrote:

So is there an option in axis2/c that I can turn off the certificate
> validation?


No we don't support that at the moment.


> I think this is important because from a client point of view, lots of
> times when I want to access a web service under SSL using https://.. I
> know that is the site I want to go.


Yes web browsers do support that, but in reality you don't know if
that truly is the site that you want to access, if you don't have the
server's certificate beforehand. (someone can spoof dns and appear
themselves as https://foo.com). Yes I have neglected about well known
Certificate Authorities for simplicity. If you trust the CA that issued the
server cert, all you need is the CA's certificate.


> And just like you said, browsers will ask you if you want to trust the site
> and I can say yes or no.It would also be very inconvenient for a client to
> have to get the certificate from a service provide (they may not give you).


Anyway, if it is only for testing, what you can do is to follow the Axis2/C
manual and retrieve the server cert from the server. [1] (refer to
sec. 13.1.2 Configuration). Well you can do this even if it was not for
testing, but it is not recommended to do so.

Thanks,
Dumindu.

[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client

Re: a HTTPS/SSL question

Posted by Vivian Wang <vi...@yahoo.com>.
Hi Shankar,

So is there an option in axis2/c that I can turn off the certificate validation? I think this is important because from a client point of view, lots of times when I want to access a web service under SSL using https://.. I know that is the site I want to go. And just like you said, browsers will ask you if you want to trust the site and I can say yes or no.It would also be very inconvenient for a client to have to get the certificate from a service provide (they may not give you). 

Thanks!
Vivian


--- On Wed, 10/29/08, Uthaiyashankar <sh...@wso2.com> wrote:

> From: Uthaiyashankar <sh...@wso2.com>
> Subject: Re: a HTTPS/SSL question
> To: "Apache AXIS C Developers List" <ax...@ws.apache.org>
> Date: Wednesday, October 29, 2008, 2:32 AM
> Hi,
> 
> When you access an https endpoint, the certificate of that
> endpoint should be validated whether it can be trusted. This
> validation is based on, whether we trust any of the CA's
> of the certificate. This is same as what happened in a
> browser. If you access any https and if the browser
> can't validate the trust path, it will not allow (or
> give you a warning) to access the end point. AFAIK, in
> Axis2/C, we give the certificate chain file to verify this.
> I think, soapUI allows you access the endpoint without
> validating the certificate.
> 
> Regards,
> Shankar
> 
> 
> Vivian Wang wrote:
> > Hi, there,
> > 
> > I have a web service client using axis2/c to access a
> Salesforce.com web site that is protected with SSL (the url
> starts with https://). I didn't give a certificate chain
> file path in the configuration file axis2.xml, so the web
> service client failed. However, if I use soapUI (a free
> downloaded web service testing tool) to access the same
> serivce without giving any SSL related setting (just like
> accessing a service starting with http://), it all goes
> fine. What is the difference here? Is there any setting I
> can do in axis2/c to make it work as soapUI?
> > 
> > I noticed another similar thing. When a wsdl parser
> (from axis-j 1.4) tring to retrieve a SSL-protected wsdl (I
> set it up in TOMCAT) using a URL that starts with https:, I
> have a provide a client keystore (using jsse
> system.setProperty(....)) otherwise I will get an error
> saying something like trustedstore not found, but soapUI was
> just fine loading the same wsdl. What's really going on?
> > 
> > Any help is much appreciated!
> > 
> > Vivian
> > 
> >    
> > 
> >       
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> axis-c-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail:
> axis-c-dev-help@ws.apache.org
> > 
> > 
> > 
> >   
> 
> 
> -- S.Uthaiyashankar
> Software Architect
> WSO2 Inc. http://wso2.com/ - "The Open Source SOA
> Company" 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> axis-c-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail:
> axis-c-dev-help@ws.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org

Re: a HTTPS/SSL question

Posted by Uthaiyashankar <sh...@wso2.com>.
Hi,

When you access an https endpoint, the certificate of that endpoint 
should be validated whether it can be trusted. This validation is based 
on, whether we trust any of the CA's of the certificate. This is same as 
what happened in a browser. If you access any https and if the browser 
can't validate the trust path, it will not allow (or give you a warning) 
to access the end point. AFAIK, in Axis2/C, we give the certificate 
chain file to verify this. I think, soapUI allows you access the 
endpoint without validating the certificate.

Regards,
Shankar


Vivian Wang wrote:
> Hi, there,
>
> I have a web service client using axis2/c to access a Salesforce.com web site that is protected with SSL (the url starts with https://). I didn't give a certificate chain file path in the configuration file axis2.xml, so the web service client failed. However, if I use soapUI (a free downloaded web service testing tool) to access the same serivce without giving any SSL related setting (just like accessing a service starting with http://), it all goes fine. What is the difference here? Is there any setting I can do in axis2/c to make it work as soapUI?
>
> I noticed another similar thing. When a wsdl parser (from axis-j 1.4) tring to retrieve a SSL-protected wsdl (I set it up in TOMCAT) using a URL that starts with https:, I have a provide a client keystore (using jsse system.setProperty(....)) otherwise I will get an error saying something like trustedstore not found, but soapUI was just fine loading the same wsdl. What's really going on?
>
> Any help is much appreciated!
>
> Vivian
>
>    
>
>
>       
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-dev-help@ws.apache.org
>
>
>
>   


-- 
S.Uthaiyashankar
Software Architect
WSO2 Inc. 
http://wso2.com/ - "The Open Source SOA Company" 


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org