You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by buzzterrier <te...@gmail.com> on 2009/07/01 18:49:01 UTC
Re: cipher suite filters have not been configured
I am also have this issue. I cannot provide a test case because the service I
am connecting to is a SAS. Anything I can provide or logging I can turn on
to help with this?
dkulp wrote:
>
> On Tue May 12 2009 5:10:02 am Marc Logemann wrote:
>> Daniel.
>>
>>
>> not that easy to isolate a test case in terms of JAR creation and
>> classpath. What IDE are u using? It would be easier to share a small
>> test project.....
>
> I'm using Eclipse.
>
> Dan
>
>
>>
>> ---
>> regards
>> Marc Logemann
>> http://www.logemann.org
>> http://www.logentis.de
>>
>> Am 11.05.2009 um 18:39 schrieb Daniel Kulp:
>> > Any chance you could package together a small test case. (maybe a
>> > modified
>> > version of one of the samples?) I've seen a couple people report
>> > that the
>> > "*.http-conduit" method of config isn't working, but I haven't been
>> > able to
>> > reproduce it. If I could get a testcase that shows that it's not
>> > working, I
>> > could debug it a bit to see what is going on.
>> >
>> > Thanks!
>> > Dan
>> >
>> > On Sun May 10 2009 12:49:42 pm Marc Logemann wrote:
>> >> Hi,
>> >>
>> >> on testing the my client with HTTPS i am getting this in the console
>> >> many times:
>> >>
>> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
>> >> getCiphersuites
>> >> INFO: The cipher suites have not been configured, falling back to
>> >> cipher suite filters.
>> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
>> >> getCiphersuites
>> >> INFO: The cipher suite filters have not been configured, falling back
>> >> to default filters.
>> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
>> >> getCiphersFromList
>> >> INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
>> >> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>> >> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>> >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
>> >> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
>> >> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
>> >> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
>> >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
>> >> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
>> >> TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
>> >> TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
>> >> TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
>> >> TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
>> >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
>> >>
>> >> This problem is also described in this "old" thread:
>> >> http://markmail.org/thread/kkcp6lbx26al2fo6
>> >>
>> >> Of course i also tried the
>> >>
>> >> <http:conduit name="*.http-conduit">
>> >> <http:tlsClientParameters secureSocketProtocol="SSL">
>> >> <sec:cipherSuitesFilter> <!-- these filters ensure that
>> >> a ciphersuite with export-suitable or null encryption is used, but
>> >> exclude anonymous Diffie-Hellman key change as this is vulnerable to
>> >> man-in-the-middle attacks -->
>> >> <sec:include>.*_EXPORT_.*</sec:include>
>> >> <sec:include>.*_EXPORT1024_.*</sec:include>
>> >> <sec:include>.*_WITH_DES_.*</sec:include>
>> >> <sec:include>.*_WITH_NULL_.*</sec:include>
>> >> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>> >> </sec:cipherSuitesFilter>
>> >> </http:tlsClientParameters>
>> >> </http:conduit>
>> >>
>> >> config without luck. But my cxf.xml gets read in my Test client (the
>> >> generated client of WSDL2Java).
>> >>
>> >> In general the client call works with the JAX-WS-style supplied
>> >> username and password but i really dont like the logging and i wonder
>> >> if its too slow then as mentioned in the thread above.
>> >>
>> >> Thx for info on this.
>> >>
>> >> ---
>> >> regards
>> >> Marc Logemann
>> >> http://www.logemann.org
>> >> http://www.logentis.de
>> >
>> > --
>> > Daniel Kulp
>> > dkulp@apache.org
>> > http://www.dankulp.com/blog
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
-----
Buzzterrier
http://buzzterrier.blogspot.com/ View my blog: Ordinary Average Developer...
--
View this message in context: http://www.nabble.com/cipher-suite-filters-have-not-been-configured-tp23471838p24293269.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: cipher suite filters have not been configured
Posted by Daniel Kulp <dk...@apache.org>.
I really don't know what to say. I've asked for some test cases, but haven't
received anything. All attempts I've made at modifying the wsdl_first_https
sample to meet the non-specific descriptions on the threads hasn't resulted in
it failing.
If someone could just take the wsdl_first_https and modify it or whatever to
reproduce the failure, I'd be happy to look at it. But until I can reproduce
it, there isn't really anything I can do.
Dan
On Wed July 1 2009 12:49:01 pm buzzterrier wrote:
> I am also have this issue. I cannot provide a test case because the service
> I am connecting to is a SAS. Anything I can provide or logging I can turn
> on to help with this?
>
> dkulp wrote:
> > On Tue May 12 2009 5:10:02 am Marc Logemann wrote:
> >> Daniel.
> >>
> >>
> >> not that easy to isolate a test case in terms of JAR creation and
> >> classpath. What IDE are u using? It would be easier to share a small
> >> test project.....
> >
> > I'm using Eclipse.
> >
> > Dan
> >
> >> ---
> >> regards
> >> Marc Logemann
> >> http://www.logemann.org
> >> http://www.logentis.de
> >>
> >> Am 11.05.2009 um 18:39 schrieb Daniel Kulp:
> >> > Any chance you could package together a small test case. (maybe a
> >> > modified
> >> > version of one of the samples?) I've seen a couple people report
> >> > that the
> >> > "*.http-conduit" method of config isn't working, but I haven't been
> >> > able to
> >> > reproduce it. If I could get a testcase that shows that it's not
> >> > working, I
> >> > could debug it a bit to see what is going on.
> >> >
> >> > Thanks!
> >> > Dan
> >> >
> >> > On Sun May 10 2009 12:49:42 pm Marc Logemann wrote:
> >> >> Hi,
> >> >>
> >> >> on testing the my client with HTTPS i am getting this in the console
> >> >> many times:
> >> >>
> >> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
> >> >> getCiphersuites
> >> >> INFO: The cipher suites have not been configured, falling back to
> >> >> cipher suite filters.
> >> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
> >> >> getCiphersuites
> >> >> INFO: The cipher suite filters have not been configured, falling back
> >> >> to default filters.
> >> >> 10.05.2009 18:42:20 org.apache.cxf.transport.https.SSLUtils
> >> >> getCiphersFromList
> >> >> INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
> >> >> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> >> >> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> >> >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> >> >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> >> >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> >> >> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> >> >> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> >> >> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >> >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> >> >> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
> >> >> TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
> >> >> TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
> >> >> TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
> >> >> TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
> >> >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
> >> >>
> >> >> This problem is also described in this "old" thread:
> >> >> http://markmail.org/thread/kkcp6lbx26al2fo6
> >> >>
> >> >> Of course i also tried the
> >> >>
> >> >> <http:conduit name="*.http-conduit">
> >> >> <http:tlsClientParameters secureSocketProtocol="SSL">
> >> >> <sec:cipherSuitesFilter> <!-- these filters ensure that
> >> >> a ciphersuite with export-suitable or null encryption is used, but
> >> >> exclude anonymous Diffie-Hellman key change as this is vulnerable to
> >> >> man-in-the-middle attacks -->
> >> >> <sec:include>.*_EXPORT_.*</sec:include>
> >> >> <sec:include>.*_EXPORT1024_.*</sec:include>
> >> >> <sec:include>.*_WITH_DES_.*</sec:include>
> >> >> <sec:include>.*_WITH_NULL_.*</sec:include>
> >> >> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> >> >> </sec:cipherSuitesFilter>
> >> >> </http:tlsClientParameters>
> >> >> </http:conduit>
> >> >>
> >> >> config without luck. But my cxf.xml gets read in my Test client (the
> >> >> generated client of WSDL2Java).
> >> >>
> >> >> In general the client call works with the JAX-WS-style supplied
> >> >> username and password but i really dont like the logging and i wonder
> >> >> if its too slow then as mentioned in the thread above.
> >> >>
> >> >> Thx for info on this.
> >> >>
> >> >> ---
> >> >> regards
> >> >> Marc Logemann
> >> >> http://www.logemann.org
> >> >> http://www.logentis.de
> >> >
> >> > --
> >> > Daniel Kulp
> >> > dkulp@apache.org
> >> > http://www.dankulp.com/blog
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
>
> -----
> Buzzterrier
>
> http://buzzterrier.blogspot.com/ View my blog: Ordinary Average
> Developer...
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog