You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/04/01 07:34:00 UTC
[jira] [Resolved] (CXF-8253) Provide a way to disable TLS trust
verification for the OSGi HttpConduitConfigApplier
[ https://issues.apache.org/jira/browse/CXF-8253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-8253.
--------------------------------------
Resolution: Fixed
> Provide a way to disable TLS trust verification for the OSGi HttpConduitConfigApplier
> -------------------------------------------------------------------------------------
>
> Key: CXF-8253
> URL: https://issues.apache.org/jira/browse/CXF-8253
> Project: CXF
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.4.0, 3.3.7
>
>
> When configuring TLS using properties in an OSGi container via HttpConduitConfigApplier, there is no easy way to disable TLS trust verification (for testing). For Spring + Blueprint it's easy enough to configure an insecure Trust Manager implementation, for example:
>
> {code:java}
> <bean id="trustManagers" class="org.apache.cxf.transport.https.InsecureTrustManager" factory-method="getNoOpX509TrustManagers"/>
> <http:conduit name="https://localhost:.*">
> <http:tlsClientParameters disableCNCheck="true">
> <sec:trustManagers ref="trustManagers" />
> </http:tlsClientParameters>
> </http:conduit>
> {code}
> This task is to add a new configuration property called "trustManagers.disableTrustVerification", which if set to "true" will call InsecureTrustManager.getNoOpX509TrustManagers under the hood, to disable TLS trust verification.
> Obviously this is insecure and should only be used for testing! InsecureTrustManager prints a LOG along these lines at warning level.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)