You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Bc. Jiří Mikulášek" <ji...@aura.cz> on 2007/11/28 12:18:09 UTC
CRL support
Hi all,
can somebody give me a hint how to configure or program CRL (certificate
revocation list) checking before each SSL handshake.
In detail:
I have this configuration on client:
<http-conf:conduit
name="{http://..../}portName.http-conduit">
<http-conf:client AllowChunking="false" />
<http-conf:tlsClientParameters secureSocketProtocol="SSL">
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
url="someurl"/>
</sec:trustManagers>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
url="someurl"/>
</sec:keyManagers>
</http-conf:tlsClientParameters>
which causes ssl communication, but before each connection I would like to
check all certificates i keystores for revocation according some CRL on
filesystem
thanks for any advice
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------
Re: CRL support
Posted by "Bc. Jiří Mikulášek" <ji...@aura.cz>.
Thanks a lot I will check it out
On Thursday 29 of November 2007 15:24:57 Fred Dushin wrote:
> See the http-conf:trustDecider in
>
> https://svn.apache.org/repos/asf/incubator/cxf/trunk/rt/transports/
> http/src/main/resources/schemas/configuration/http-conf.xsd
>
> You'll need to implement your own
> org.apache.cxf.transport.http.MessageTrustDecider, but this will get
> called when a connection is established. Unfortunately, because of
> the design of the Sun JSSE, this is not a hook into the handshake,
> but your trust decider should be called before any application data
> is sent down the pipe. That's the idea, at any rate.
>
> -Fred
>
> On Nov 28, 2007, at 4:26 PM, Bc. Jiří Mikulášek wrote:
> > thanks, because I really need CRL support is there any way how to
> > handle it on
> > my own - maybe use some interceptor, which will handle it before each
> > connection? If there is such possibility, please can somebody give
> > me few
> > basic hints, where to start what to care and so...?
> >
> > Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a):
> >> CXF does not have support for CRLs.
> >>
> >> On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote:
> >>> Hi all,
> >>> can somebody give me a hint how to configure or program CRL
> >>> (certificate
> >>> revocation list) checking before each SSL handshake.
> >>>
> >>> In detail:
> >>> I have this configuration on client:
> >>> <http-conf:conduit
> >>> name="{http://..../}portName.http-conduit">
> >>>
> >>> <http-conf:client AllowChunking="false" />
> >>> <http-conf:tlsClientParameters secureSocketProtocol="SSL">
> >>> <sec:trustManagers>
> >>> <sec:keyStore type="JKS" password="password"
> >>> url="someurl"/>
> >>> </sec:trustManagers>
> >>> <sec:keyManagers keyPassword="password">
> >>> <sec:keyStore type="JKS" password="password"
> >>> url="someurl"/>
> >>>
> >>> </sec:keyManagers>
> >>> </http-conf:tlsClientParameters>
> >>>
> >>> which causes ssl communication, but before each connection I would
> >>> like to
> >>> check all certificates i keystores for revocation according some
> >>> CRL on
> >>> filesystem
> >>>
> >>>
> >>> thanks for any advice
> >>> --
> >>> Jiri Mikulasek
> >>> ---------------------------------
> >>> Developer
> >>>
> >>> AURA, s.r.o.
> >>> Uvoz 499/56; 602 00 Brno
> >>> ISO 9001 certified company
> >>> AQAP 2110 (ČOS 051622)
> >>> tel./fax: +420 544 508 115
> >>> e-mail: mikulasek@aura.cz
> >>> http://www.aura.cz
> >>> ---------------------------------
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------
Re: CRL support
Posted by Fred Dushin <fr...@dushin.net>.
See the http-conf:trustDecider in
https://svn.apache.org/repos/asf/incubator/cxf/trunk/rt/transports/
http/src/main/resources/schemas/configuration/http-conf.xsd
You'll need to implement your own
org.apache.cxf.transport.http.MessageTrustDecider, but this will get
called when a connection is established. Unfortunately, because of
the design of the Sun JSSE, this is not a hook into the handshake,
but your trust decider should be called before any application data
is sent down the pipe. That's the idea, at any rate.
-Fred
On Nov 28, 2007, at 4:26 PM, Bc. Jiří Mikulášek wrote:
> thanks, because I really need CRL support is there any way how to
> handle it on
> my own - maybe use some interceptor, which will handle it before each
> connection? If there is such possibility, please can somebody give
> me few
> basic hints, where to start what to care and so...?
>
>
> Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a):
>> CXF does not have support for CRLs.
>>
>> On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote:
>>> Hi all,
>>> can somebody give me a hint how to configure or program CRL
>>> (certificate
>>> revocation list) checking before each SSL handshake.
>>>
>>> In detail:
>>> I have this configuration on client:
>>> <http-conf:conduit
>>> name="{http://..../}portName.http-conduit">
>>>
>>> <http-conf:client AllowChunking="false" />
>>> <http-conf:tlsClientParameters secureSocketProtocol="SSL">
>>> <sec:trustManagers>
>>> <sec:keyStore type="JKS" password="password"
>>> url="someurl"/>
>>> </sec:trustManagers>
>>> <sec:keyManagers keyPassword="password">
>>> <sec:keyStore type="JKS" password="password"
>>> url="someurl"/>
>>>
>>> </sec:keyManagers>
>>> </http-conf:tlsClientParameters>
>>>
>>> which causes ssl communication, but before each connection I would
>>> like to
>>> check all certificates i keystores for revocation according some
>>> CRL on
>>> filesystem
>>>
>>>
>>> thanks for any advice
>>> --
>>> Jiri Mikulasek
>>> ---------------------------------
>>> Developer
>>>
>>> AURA, s.r.o.
>>> Uvoz 499/56; 602 00 Brno
>>> ISO 9001 certified company
>>> AQAP 2110 (ČOS 051622)
>>> tel./fax: +420 544 508 115
>>> e-mail: mikulasek@aura.cz
>>> http://www.aura.cz
>>> ---------------------------------
>
Re: CRL support
Posted by "Bc. Jiří Mikulášek" <ji...@aura.cz>.
thanks, because I really need CRL support is there any way how to handle it on
my own - maybe use some interceptor, which will handle it before each
connection? If there is such possibility, please can somebody give me few
basic hints, where to start what to care and so...?
Dne středa 28 listopad 2007 21:32 Fred Dushin napsal(a):
> CXF does not have support for CRLs.
>
> On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote:
> > Hi all,
> > can somebody give me a hint how to configure or program CRL
> > (certificate
> > revocation list) checking before each SSL handshake.
> >
> > In detail:
> > I have this configuration on client:
> > <http-conf:conduit
> > name="{http://..../}portName.http-conduit">
> >
> > <http-conf:client AllowChunking="false" />
> > <http-conf:tlsClientParameters secureSocketProtocol="SSL">
> > <sec:trustManagers>
> > <sec:keyStore type="JKS" password="password"
> > url="someurl"/>
> > </sec:trustManagers>
> > <sec:keyManagers keyPassword="password">
> > <sec:keyStore type="JKS" password="password"
> > url="someurl"/>
> >
> > </sec:keyManagers>
> > </http-conf:tlsClientParameters>
> >
> > which causes ssl communication, but before each connection I would
> > like to
> > check all certificates i keystores for revocation according some
> > CRL on
> > filesystem
> >
> >
> > thanks for any advice
> > --
> > Jiri Mikulasek
> > ---------------------------------
> > Developer
> >
> > AURA, s.r.o.
> > Uvoz 499/56; 602 00 Brno
> > ISO 9001 certified company
> > AQAP 2110 (ČOS 051622)
> > tel./fax: +420 544 508 115
> > e-mail: mikulasek@aura.cz
> > http://www.aura.cz
> > ---------------------------------
Re: CRL support
Posted by Fred Dushin <fr...@dushin.net>.
CXF does not have support for CRLs.
On Nov 28, 2007, at 6:18 AM, Bc. Jiří Mikulášek wrote:
> Hi all,
> can somebody give me a hint how to configure or program CRL
> (certificate
> revocation list) checking before each SSL handshake.
>
> In detail:
> I have this configuration on client:
> <http-conf:conduit
> name="{http://..../}portName.http-conduit">
>
> <http-conf:client AllowChunking="false" />
> <http-conf:tlsClientParameters secureSocketProtocol="SSL">
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> url="someurl"/>
> </sec:trustManagers>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="password"
> url="someurl"/>
>
> </sec:keyManagers>
> </http-conf:tlsClientParameters>
>
> which causes ssl communication, but before each connection I would
> like to
> check all certificates i keystores for revocation according some
> CRL on
> filesystem
>
>
> thanks for any advice
> --
> Jiri Mikulasek
> ---------------------------------
> Developer
>
> AURA, s.r.o.
> Uvoz 499/56; 602 00 Brno
> ISO 9001 certified company
> AQAP 2110 (ČOS 051622)
> tel./fax: +420 544 508 115
> e-mail: mikulasek@aura.cz
> http://www.aura.cz
> ---------------------------------
>