You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Tóth Csaba <ig...@domen.hu> on 2021/09/21 13:49:05 UTC
cxf ws client server certificate alternative name
Hello!
For a webservice client, (over https) the server sent certificate has
wrong "name", but it has an good "alternative name".
I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
I have very basic conduit settings:
<http:conduit name="url*">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="">
<sec:keyStore password="" resource="" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore password="" resource="" type="JKS"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used, but exclude anonymous
Diffie-Hellman key change as this is vulnerable to man-in-the-middle
attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
(with other https endponts its working)
How can is setup to check the "alternative name" too, and not only the
"name"?
Thanx
Csaba
Re: cxf ws client server certificate alternative name
Posted by Tóth Csaba <ig...@domen.hu>.
Thanx.
This is working.
Csaba
On 2021-09-21 16:08, Freeman Fang wrote:
> Hi,
>
> You can specify certAlias name in
>
> </http:tlsClientParameters>
>
> Something like
>
> <sec:certAlias>what_ever_suitable</sec:certAlias>
>
>
> Hopefully this is what you are looking for.
>
> Cheers
>
> Freeman
>
>
> On Tue, Sep 21, 2021 at 9:50 AM Tóth Csaba <ig...@domen.hu> wrote:
>
>> Hello!
>>
>> For a webservice client, (over https) the server sent certificate has
>> wrong "name", but it has an good "alternative name".
>>
>> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>>
>> I have very basic conduit settings:
>>
>> <http:conduit name="url*">
>> <http:tlsClientParameters>
>> <sec:keyManagers keyPassword="">
>> <sec:keyStore password="" resource="" type="JKS"/>
>> </sec:keyManagers>
>> <sec:trustManagers>
>> <sec:keyStore password="" resource="" type="JKS"/>
>> </sec:trustManagers>
>> <sec:cipherSuitesFilter>
>> <!-- these filters ensure that a ciphersuite with
>> export-suitable or null encryption is used, but exclude anonymous
>> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
>> attacks -->
>> <sec:include>.*_EXPORT_.*</sec:include>
>> <sec:include>.*_EXPORT1024_.*</sec:include>
>> <sec:include>.*_WITH_DES_.*</sec:include>
>> <sec:include>.*_WITH_AES_.*</sec:include>
>> <sec:include>.*_WITH_NULL_.*</sec:include>
>> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>> </sec:cipherSuitesFilter>
>> </http:tlsClientParameters>
>> </http:conduit>
>>
>> (with other https endponts its working)
>>
>> How can is setup to check the "alternative name" too, and not only the
>> "name"?
>>
>>
>> Thanx
>>
>> Csaba
>>
>>
>>
Re: cxf ws client server certificate alternative name
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
You can specify certAlias name in
</http:tlsClientParameters>
Something like
<sec:certAlias>what_ever_suitable</sec:certAlias>
Hopefully this is what you are looking for.
Cheers
Freeman
On Tue, Sep 21, 2021 at 9:50 AM Tóth Csaba <ig...@domen.hu> wrote:
> Hello!
>
> For a webservice client, (over https) the server sent certificate has
> wrong "name", but it has an good "alternative name".
>
> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>
> I have very basic conduit settings:
>
> <http:conduit name="url*">
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="">
> <sec:keyStore password="" resource="" type="JKS"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore password="" resource="" type="JKS"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used, but exclude anonymous
> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
> attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
>
> (with other https endponts its working)
>
> How can is setup to check the "alternative name" too, and not only the
> "name"?
>
>
> Thanx
>
> Csaba
>
>
>
Re: cxf ws client server certificate alternative name
Posted by Mark Presling <ma...@argonaut.nz>.
It should automatically check/use the SAN (Subject Alternate Name). I'm not
aware of any special config for that.
If you can, provide us with the following information:
1. endpoint address
2. output of "openssl s_client -connect cxf.apache.org:443 | openssl
x509 -text -noout | grep -e Subject -e DNS"
where you replace cxf.apache.org with the hostname of the endpoint address.
But first of all, you should probably try removing the <sec:keyManagers/>
and <sec:trustManagers/> if they are in fact empty. It may just be that you
are telling it to not use a trust store altogether. Without that it will
fall back to using the JRE global cacerts truststore to validate/verify the
server certificate chain.
On Wed, 22 Sept 2021 at 01:50, Tóth Csaba <ig...@domen.hu> wrote:
> Hello!
>
> For a webservice client, (over https) the server sent certificate has
> wrong "name", but it has an good "alternative name".
>
> I got javax.net.ssl.SSLHandshakeException: SSLHandshakeException.
>
> I have very basic conduit settings:
>
> <http:conduit name="url*">
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="">
> <sec:keyStore password="" resource="" type="JKS"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore password="" resource="" type="JKS"/>
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used, but exclude anonymous
> Diffie-Hellman key change as this is vulnerable to man-in-the-middle
> attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
>
> (with other https endponts its working)
>
> How can is setup to check the "alternative name" too, and not only the
> "name"?
>
>
> Thanx
>
> Csaba
>
>
>