[CXF-2688] Allow deactivation of SSL X509 Certificates validation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.6
Fix Version/s: 2.2.10
Component/s: Transports
Labels:
None

Description

CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable hostname verification (<http-conf:tlsClientParameters disableCNCheck="true" />) but does not allow to disable X509 certificates checking.

Due to this, it can be painful to invoke services with self-signed certificates on non-production environments (see sample stacktrace below).

Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS) clients :

Add boolean attribute trustAllCertificates to <http-conf:tlsClientParameters ... />,
In the HTTPConduit, if trustAllCertificates="true", the HttpsURLConnectionFactory will use an 'accept all certificates' javax.net.ssl.X509TrustManager and an 'accept all' javax.net.ssl.HostnameVerifier.

Note : this proposal adds an attribute trustAllCertificates to the TLSClientParametersType complex type and thus this proposal requires to publish a new 'backward compatible' http://cxf.apache.org/schemas/configuration/security.xsd.

Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS service:

<jaxws:client id="helloWorldServiceClient"
   serviceClass="com.example.HelloWorldService"
   address="https://example.com/services/helloWorldService">
</jaxws:client>

<http-conf:conduit name="{http://example.com/}HelloWorldServicePort.http-conduit">
   <!-- trust all certificates (self signed certificates, etc) -->
   <http-conf:tlsClientParameters trustAllCertificates="true" />
   
   <http-conf:authorization>
      <security:UserName>my-user-name</security:UserName>
      <security:Password>my-password</security:Password>
   </http-conf:authorization>
</http-conf:conduit>

CXF client exception's stacktrace with a self-signe certificate:

2010/03/01 22:05:23,682  WARN [http-8080-1] org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for 
{http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
	...
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
	at $Proxy69.sayHi(Unknown Source)
	...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	...

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

CXF-2688-enhanced-warnings.patch
03/Mar/10 23:55
12 kB
Cyrille Le Clerc
CXF-2688.diff
01/Mar/10 23:15
7 kB
Cyrille Le Clerc

Activity

People

Assignee:: Cyrille Le Clerc

Reporter:: Cyrille Le Clerc

Votes:: 4 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 01/Mar/10 23:13

Updated:: 11/Oct/10 14:52

Resolved:: 06/Oct/10 13:20