You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Tóth Csaba <ig...@domen.hu> on 2021/09/21 13:49:05 UTC

cxf ws client server certificate alternative name

Hello!

For a webservice client, (over https) the server sent certificate has 
wrong "name", but it has an good "alternative name".

I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.

I have very basic conduit settings:

     <http:conduit name="url*">
         <http:tlsClientParameters>
             <sec:keyManagers keyPassword="">
                 <sec:keyStore password="" resource="" type="JKS"/>
             </sec:keyManagers>
             <sec:trustManagers>
                 <sec:keyStore password="" resource="" type="JKS"/>
             </sec:trustManagers>
             <sec:cipherSuitesFilter>
                 <!-- these filters ensure that a ciphersuite with 
export-suitable or null encryption is used, but exclude anonymous 
Diffie-Hellman key change as this is vulnerable to man-in-the-middle 
attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
             </sec:cipherSuitesFilter>
         </http:tlsClientParameters>
     </http:conduit>

(with other https endponts its working)

How can is setup to check the "alternative name" too, and not only the 
"name"?


Thanx

Csaba

Re: cxf ws client server certificate alternative name

Posted by Tóth Csaba <ig...@domen.hu>.

Thanx.
This is working.

Csaba

On 2021-09-21 16:08, Freeman Fang wrote:
> Hi,
>
> You can specify certAlias name in
>
> </http:tlsClientParameters>
>
> Something like
>
> <sec:certAlias>what_ever_suitable</sec:certAlias>
>
>
> Hopefully this is what you are looking for.
>
> Cheers
>
> Freeman
>
>
> On Tue, Sep 21, 2021 at 9:50 AM Tóth Csaba <ig...@domen.hu> wrote:
>
>> Hello!
>>
>> For a webservice client, (over https) the server sent certificate has
>> wrong "name", but it has an good "alternative name".
>>
>> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>>
>> I have very basic conduit settings:
>>
>>       <http:conduit name="url*">
>>           <http:tlsClientParameters>
>>               <sec:keyManagers keyPassword="">
>>                   <sec:keyStore password="" resource="" type="JKS"/>
>>               </sec:keyManagers>
>>               <sec:trustManagers>
>>                   <sec:keyStore password="" resource="" type="JKS"/>
>>               </sec:trustManagers>
>>               <sec:cipherSuitesFilter>
>>                   <!-- these filters ensure that a ciphersuite with
>> export-suitable or null encryption is used, but exclude anonymous
>> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
>> attacks -->
>> <sec:include>.*_EXPORT_.*</sec:include>
>> <sec:include>.*_EXPORT1024_.*</sec:include>
>> <sec:include>.*_WITH_DES_.*</sec:include>
>> <sec:include>.*_WITH_AES_.*</sec:include>
>> <sec:include>.*_WITH_NULL_.*</sec:include>
>> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>>               </sec:cipherSuitesFilter>
>>           </http:tlsClientParameters>
>>       </http:conduit>
>>
>> (with other https endponts its working)
>>
>> How can is setup to check the "alternative name" too, and not only the
>> "name"?
>>
>>
>> Thanx
>>
>> Csaba
>>
>>
>>

Re: cxf ws client server certificate alternative name

Posted by Freeman Fang <fr...@gmail.com>.

Hi,

You can specify certAlias name in

</http:tlsClientParameters>

Something like

<sec:certAlias>what_ever_suitable</sec:certAlias>


Hopefully this is what you are looking for.

Cheers

Freeman


On Tue, Sep 21, 2021 at 9:50 AM Tóth Csaba <ig...@domen.hu> wrote:

> Hello!
>
> For a webservice client, (over https) the server sent certificate has
> wrong "name", but it has an good "alternative name".
>
> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>
> I have very basic conduit settings:
>
>      <http:conduit name="url*">
>          <http:tlsClientParameters>
>              <sec:keyManagers keyPassword="">
>                  <sec:keyStore password="" resource="" type="JKS"/>
>              </sec:keyManagers>
>              <sec:trustManagers>
>                  <sec:keyStore password="" resource="" type="JKS"/>
>              </sec:trustManagers>
>              <sec:cipherSuitesFilter>
>                  <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used, but exclude anonymous
> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
> attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>              </sec:cipherSuitesFilter>
>          </http:tlsClientParameters>
>      </http:conduit>
>
> (with other https endponts its working)
>
> How can is setup to check the "alternative name" too, and not only the
> "name"?
>
>
> Thanx
>
> Csaba
>
>
>

Re: cxf ws client server certificate alternative name

Posted by Mark Presling <ma...@argonaut.nz>.

It should automatically check/use the SAN (Subject Alternate Name). I'm not
aware of any special config for that.

If you can, provide us with the following information:

   1. endpoint address
   2. output of "openssl s_client -connect cxf.apache.org:443 | openssl
   x509 -text -noout | grep -e Subject -e DNS"

where you replace cxf.apache.org with the hostname of the endpoint address.

But first of all, you should probably try removing the <sec:keyManagers/>
and <sec:trustManagers/> if they are in fact empty. It may just be that you
are telling it to not use a trust store altogether. Without that it will
fall back to using the JRE global cacerts truststore to validate/verify the
server certificate chain.


On Wed, 22 Sept 2021 at 01:50, Tóth Csaba <ig...@domen.hu> wrote:

> Hello!
>
> For a webservice client, (over https) the server sent certificate has
> wrong "name", but it has an good "alternative name".
>
> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>
> I have very basic conduit settings:
>
>      <http:conduit name="url*">
>          <http:tlsClientParameters>
>              <sec:keyManagers keyPassword="">
>                  <sec:keyStore password="" resource="" type="JKS"/>
>              </sec:keyManagers>
>              <sec:trustManagers>
>                  <sec:keyStore password="" resource="" type="JKS"/>
>              </sec:trustManagers>
>              <sec:cipherSuitesFilter>
>                  <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used, but exclude anonymous
> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
> attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>              </sec:cipherSuitesFilter>
>          </http:tlsClientParameters>
>      </http:conduit>
>
> (with other https endponts its working)
>
> How can is setup to check the "alternative name" too, and not only the
> "name"?
>
>
> Thanx
>
> Csaba
>
>
>