You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Alex Shneyderman <a....@gmail.com> on 2007/12/16 20:10:10 UTC
service over https
I am new to web service or CXF, so forgive me if this is somehow
obvious for everyone.
I have been trying to figure out how to utilize paypal's WS. Here is
their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is
interested). At the end of the
file there is ports section that looks like so:
<wsdl:port name="PayPalAPIAA" binding="ns:PayPalAPIAASoapBinding">
<wsdlsoap:address location="https://api-aa.sandbox.paypal.com/2.0/"/>
</wsdl:port>
port named PayPalAPIAA talks over https. I have written some code to process
direct payments and if I provide cxf.xml on my classpath of the
following content:
<http:conduit name="{urn:ebay:api:PayPalAPI}PayPalAPIAA.http-conduit">
<http:tlsClientParameters>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
There is a an error I get back:
Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites
INFO: The cipher suites have not been configured, falling back to
cipher suite filters.
Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites
INFO: The cipher suite filters have not been configured, falling back
to default filters.
Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils
getCiphersFromList
INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit prepare
INFO: AutoRedirect is turned on.
Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Received fatal alert: handshake_failure
at org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:75)
at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:207)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205)
...
If I do not provide cxf.xml I get an error stating:
Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
......
Caused by: java.io.IOException: Illegal Protocol https for HTTP
URLConnection Factory.
at org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConnection(HttpURLConnectionFactoryImpl.java:44)
at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:474)
at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46)
... 12 more
Any ideas. BTW if I simply connect to the URL I can connect and get
content fine, so default java https connectivity works (I run java 6).
Somehow CXF screws stuff up for me.
Any ideas of what I am to fix here?
--
Thanks,
Alex.
Re: service over https
Posted by Alex Shneyderman <a....@gmail.com>.
Thanks, Fred!
Your openssl trick worked a treat. I imported the certificate into the key
store and can process transactions now. I guess, now I need not forget to
do the same for production :-)
Thanks,
Alex.
On Dec 16, 2007 10:08 PM, Fred Dushin <fr...@dushin.net> wrote:
>
> You don't necessarily need to use keytool. You can now use a plain
> PEM file, containing the CA's X.509 certificate:
>
> {{{
> <http:conduit name="...">
> <http:tlsClientParameters>
> <csec:trustManagers>
> <csec:certStore resource="path-to-pem-relative-to-
> classpath"/>
> </csec:trustManagers>
> <csec:cipherSuitesFilter>
> <csec:include>.*</csec:include>
> <csec:exclude>.*_DH_anon_.*</csec:exclude>
> </csec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
> }}}
>
> You'll need to get a hold of this certificate, if you don't already
> have it. Here is the information about the peer you can get through
> openssl:
>
> 15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com -
> port 443
> CONNECTED(00000004)
> depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
> Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
> Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
> aa.sandbox.paypal.com
> i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB
> ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
> aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
> dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
> SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
> NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG
> A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh
> eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE
> CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw
> IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB
> AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5
> vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz
> 75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID
> AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7
> oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h
> bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
> BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG
> SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr
> BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw
> X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP
> gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm
> MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn
> t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D
> dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee
> fOE4
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
> Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
> aa.sandbox.paypal.com
> issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> ---
> Acceptable client certificate CA names
> /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/
> CN=sandbox_camerchapi/emailAddress=re@paypal.com
> ---
> SSL handshake has read 3379 bytes and written 334 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F
> Session-ID-ctx:
> Master-Key:
> C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1
> 2971A54CA42805A4940785D0
> Key-Arg : None
> Start Time: 1197838663
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate
> chain)
> ---
>
> So it looks like you'll need one of those 2 verisign certs.
>
> -Fred
>
>
> On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote:
>
> > Hi, Fred!
> >
> > On Dec 16, 2007 8:49 PM, Fred Dushin <fr...@dushin.net> wrote:
> >>
> >> You need to specify a trust store containing the appropriate
> >> certificate authority to be used when performing the handshake with
> >> the paypal service.
> >
> > Could you explain this step in a bit more details. I guess I have
> > to use
> > something like keytool but I am not sure what "appropriate certificate
> > authority" means ? Where do I get it, how do I deal with it ? I
> > have tried
> > to search PayPal's docs nothing of relevance turned up.
Re: service over https
Posted by Fred Dushin <fr...@dushin.net>.
You don't necessarily need to use keytool. You can now use a plain
PEM file, containing the CA's X.509 certificate:
{{{
<http:conduit name="...">
<http:tlsClientParameters>
<csec:trustManagers>
<csec:certStore resource="path-to-pem-relative-to-
classpath"/>
</csec:trustManagers>
<csec:cipherSuitesFilter>
<csec:include>.*</csec:include>
<csec:exclude>.*_DH_anon_.*</csec:exclude>
</csec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
}}}
You'll need to get a hold of this certificate, if you don't already
have it. Here is the information about the peer you can get through
openssl:
15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com -
port 443
CONNECTED(00000004)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh
eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw
IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5
vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz
75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID
AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7
oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h
bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG
SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw
X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP
gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm
MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn
t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D
dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee
fOE4
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/
CN=sandbox_camerchapi/emailAddress=re@paypal.com
---
SSL handshake has read 3379 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F
Session-ID-ctx:
Master-Key:
C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1
2971A54CA42805A4940785D0
Key-Arg : None
Start Time: 1197838663
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
So it looks like you'll need one of those 2 verisign certs.
-Fred
On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote:
> Hi, Fred!
>
> On Dec 16, 2007 8:49 PM, Fred Dushin <fr...@dushin.net> wrote:
>>
>> You need to specify a trust store containing the appropriate
>> certificate authority to be used when performing the handshake with
>> the paypal service.
>
> Could you explain this step in a bit more details. I guess I have
> to use
> something like keytool but I am not sure what "appropriate certificate
> authority" means ? Where do I get it, how do I deal with it ? I
> have tried
> to search PayPal's docs nothing of relevance turned up.
>
> Thanks,
> Alex.
>
Re: service over https
Posted by Alex Shneyderman <a....@gmail.com>.
Hi, Fred!
On Dec 16, 2007 8:49 PM, Fred Dushin <fr...@dushin.net> wrote:
>
> You need to specify a trust store containing the appropriate
> certificate authority to be used when performing the handshake with
> the paypal service.
Could you explain this step in a bit more details. I guess I have to use
something like keytool but I am not sure what "appropriate certificate
authority" means ? Where do I get it, how do I deal with it ? I have tried
to search PayPal's docs nothing of relevance turned up.
Thanks,
Alex.
Re: service over https
Posted by Fred Dushin <fr...@dushin.net>.
You need to specify a trust store containing the appropriate
certificate authority to be used when performing the handshake with
the paypal service.
In the case where you are specifying a cxf.xml file, be sure to
include the right trustManagers stanza, as in
https://svn.apache.org/repos/asf/incubator/cxf/trunk/distribution/src/
main/release/samples/wsdl_first_https/WibbleClient.cxf
In the case where you are not using a cxf.xml file, the conduit is
failing to initialize because it has not been configured to use SSL.
-Fred
On Dec 16, 2007, at 2:10 PM, Alex Shneyderman wrote:
> I am new to web service or CXF, so forgive me if this is somehow
> obvious for everyone.
>
> I have been trying to figure out how to utilize paypal's WS. Here is
> their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is
> interested). At the end of the
> file there is ports section that looks like so:
>
> <wsdl:port name="PayPalAPIAA" binding="ns:PayPalAPIAASoapBinding">
> <wsdlsoap:address location="https://api-aa.sandbox.paypal.com/
> 2.0/"/>
> </wsdl:port>
>
> port named PayPalAPIAA talks over https. I have written some code
> to process
> direct payments and if I provide cxf.xml on my classpath of the
> following content:
>
> <http:conduit name="{urn:ebay:api:PayPalAPI}PayPalAPIAA.http-conduit">
>
> <http:tlsClientParameters>
> </http:tlsClientParameters>
> <http:client AutoRedirect="true" Connection="Keep-Alive"/>
>
> </http:conduit>
>
> There is a an error I get back:
>
> Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils
> getCiphersuites
> INFO: The cipher suites have not been configured, falling back to
> cipher suite filters.
> Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils
> getCiphersuites
> INFO: The cipher suite filters have not been configured, falling back
> to default filters.
> Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils
> getCiphersFromList
> INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
> SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
> SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA,
> TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
> TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
> Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit
> prepare
> INFO: AutoRedirect is turned on.
> Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain
> doIntercept
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Received fatal alert:
> handshake_failure
> at
> org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writePart
> s(AbstractOutDatabindingInterceptor.java:75)
> at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage
> (BareOutInterceptor.java:68)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
> (PhaseInterceptorChain.java:207)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205)
> ...
>
> If I do not provide cxf.xml I get an error stating:
>
> Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain
> doIntercept
>
> ......
>
> Caused by: java.io.IOException: Illegal Protocol https for HTTP
> URLConnection Factory.
> at
> org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConne
> ction(HttpURLConnectionFactoryImpl.java:44)
> at org.apache.cxf.transport.http.HTTPConduit.prepare
> (HTTPConduit.java:474)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage
> (MessageSenderInterceptor.java:46)
> ... 12 more
>
> Any ideas. BTW if I simply connect to the URL I can connect and get
> content fine, so default java https connectivity works (I run java 6).
> Somehow CXF screws stuff up for me.
>
> Any ideas of what I am to fix here?
>
> --
> Thanks,
> Alex.
>