You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Freeman Fang (JIRA)" <ji...@apache.org> on 2019/04/08 07:54:00 UTC

[jira] [Comment Edited] (CXF-8013) Can't tell CXF to use a custom certstore for SSL certificate check

    [ https://issues.apache.org/jira/browse/CXF-8013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812198#comment-16812198 ] 

Freeman Fang edited comment on CXF-8013 at 4/8/19 7:53 AM:
-----------------------------------------------------------

Hi,

In your scenario you use https to retrieve the wsdl, so you [need read this|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html] , more specifically, this part
{code}
If your service endpoint uses an SSL WSDL location (i.e., "https://xxx?wsdl"), you can configure the http conduit to pick up the SSL configuration by using a hardcoded http conduit name of "{http://cxf.apache.org/}TransportURIResolver.http-conduit"
{code}

so the <http:conduit name="...."> should be like

{code}
 <http:conduit name="{http://cxf.apache.org/}TransportURIResolver.http-conduit">
{code}

Cheers
Freeman


was (Author: ffang):
Hi,

In your scenario you use https to retrieve the wsdl, so you [need read this|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html] , more specifically, this part
{code}
If your service endpoint uses an SSL WSDL location (i.e., "https://xxx?wsdl"), you can configure the http conduit to pick up the SSL configuration by using a hardcoded http conduit name of "{http://cxf.apache.org/}TransportURIResolver.http-conduit"
{code}

Freeman

> Can't tell CXF to use a custom certstore for SSL certificate check
> ------------------------------------------------------------------
>
>                 Key: CXF-8013
>                 URL: https://issues.apache.org/jira/browse/CXF-8013
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.6
>            Reporter: Michel SAUMON
>            Priority: Major
>
> In my cxf.xml, I declared a custom certstore because my server's certificate is not considered valid by the JDK:
> {code:java}
> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
>    xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
>    xsi:schemaLocation="
>       http://cxf.apache.org/configuration/security
>       http://cxf.apache.org/schemas/configuration/security.xsd
>       http://cxf.apache.org/transports/http/configuration
>       http://cxf.apache.org/schemas/configuration/http-conf.xsd
>       http://www.springframework.org/schema/beans
>       http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
>    
>    <http:conduit name="{http://myservice.xx/comweb/}ComWebSoap.http-conduit">
>       <http:tlsClientParameters disableCNCheck="true">
>          <sec:keyManagers>
>             <sec:keyStore resource="myservice.jks" type="JKS" />
>          </sec:keyManagers>
>          <sec:trustManagers>
>             <sec:certStore resource="myservice.jks" type="JKS" />
>             <sec:keyStore resource="myservice.jks" type="JKS" />
>          </sec:trustManagers>
>       </http:tlsClientParameters>
>    </http:conduit>
> </beans>{code}
> But CXF does not take this config.
> I have still the error telling the cert is not valid :
> {code:java}
> javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
>     at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:163)
>     at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:129)
>     at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:82)
>     at javax.xml.ws.Service.<init>(Service.java:77)
>     at xx.mysoapclient.ComWeb.<init>(ComWeb.java:40)
>     at xx.mysoapclient.ComWebTest.getComWebSoap(ComWebTest.java:101)
>     at xx.mysoapclient.ComWebTest.testGetReporting(ComWebTest.java:136)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:498)
>     at junit.framework.TestCase.runTest(TestCase.java:176)
>     at junit.framework.TestCase.runBare(TestCase.java:141)
>     at junit.framework.TestResult$1.protect(TestResult.java:122)
>     at junit.framework.TestResult.runProtected(TestResult.java:142)
>     at junit.framework.TestResult.run(TestResult.java:125)
>     at junit.framework.TestCase.run(TestCase.java:129)
>     at junit.framework.TestSuite.runTest(TestSuite.java:252)
>     at junit.framework.TestSuite.run(TestSuite.java:247)
>     at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:86)
>     at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:89)
>     at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:41)
>     at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:541)
>     at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:763)
>     at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:463)
>     at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:209)
> Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
>     at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
>     at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:218)
>     at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:161)
>     ... 25 more
> Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://ctrl-talend-s95/COM_WEB/ComWeb.asmx?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>     at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
>     at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
>     at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
>     at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:238)
>     at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:163)
>     at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
>     ... 27 more
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
>     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>     at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
>     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
>     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
>     at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:647)
>     at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:148)
>     at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:805)
>     at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:770)
>     at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>     at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:243)
>     at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
>     at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
>     ... 32 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>     at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>     at sun.security.validator.Validator.validate(Validator.java:260)
>     at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
>     ... 52 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>     at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
>     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>     ... 58 more{code}
> I suspect error is thrown at the very beggining of the process (when WSDL is parsed), and cxf.xml is not loaded yet.
> Note :
>  - It works FINE if I set trustore via system property like
> {code:java}
>  System.setProperty("javax.net.ssl.trustStoreType", "JKS");
>  System.setProperty("javax.net.ssl.trustStore", "/path/to/myservice.jks");
> {code}
>  - {{<http:conduit name="https://localhost:.*">}} does not work too.
> My Jdk is 1.8.121
>  CXF version is 3.1.6



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)