You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Glen Mazza <gl...@gmail.com> on 2010/08/17 15:59:54 UTC

How service-side HTTPS cipher suite filters are defined

Hello, I'd like to confirm something:

The CXF documentation shows where cipher suite filters can be defined on the
client-side:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html

However, for service-side, you apparently need to configure the underlying
servlet container and not the web service itself, for example here with
Jetty:
https://cwiki.apache.org/confluence/display/CXF20DOC/Standalone+HTTP+Transport
http://fusesource.com/docs/framework/2.2/security/i343422.html

And Tomcat has a "ciphers" element that will apparently do the same thing:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html.

So there is no web-service level configuration of cipher suite filters, but
just that of the servlet container (or Endpoint implementation) hosting the
web service, correct?

Thanks,
Glen
-- 
View this message in context: http://cxf.547215.n5.nabble.com/How-service-side-HTTPS-cipher-suite-filters-are-defined-tp2638182p2638182.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: How service-side HTTPS cipher suite filters are defined

Posted by Daniel Kulp <dk...@apache.org>.

On Tuesday 17 August 2010 9:59:54 am Glen Mazza wrote:
> Hello, I'd like to confirm something:
> 
> The CXF documentation shows where cipher suite filters can be defined on
> the client-side:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
> 
> However, for service-side, you apparently need to configure the underlying
> servlet container and not the web service itself, for example here with
> Jetty:
> https://cwiki.apache.org/confluence/display/CXF20DOC/Standalone+HTTP+Transp
> ort http://fusesource.com/docs/framework/2.2/security/i343422.html
> 
> And Tomcat has a "ciphers" element that will apparently do the same thing:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html.
> 
> So there is no web-service level configuration of cipher suite filters, but
> just that of the servlet container (or Endpoint implementation) hosting the
> web service, correct?

That's correct.   For the most part, the ciphers and such are part of the 
socket level negotiation of SSL/TLS.   Thus, it occurs long before CXF really 
has any say in anything.   That's why it needs to be configured on the 
container or jetty directly.


-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog