Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8037

Apache CXF (AsyncHTTPConduit) ignores system keyStore property

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.5, 3.3.1
    • Fix Version/s: 3.2.9, 3.3.2
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      I'm using play-soap library to connect to a webservice, which under the hoods uses Apache CXF library (3.2.5).

      I need to use mutual TLS and it's difficult to configure play-soap, so I thought the underlying CXF would respect system properties.
      However, it seems like it completely ignores the javax.net.ssl.keyStore related ones. 

      So I tried to set the following:

      System.setProperty("javax.net.ssl.trustStore", "truststore.jks")
      System.setProperty("javax.net.ssl.trustStorePassword", "changeit")
      System.setProperty("javax.net.ssl.keyStore", "keystore.p12")
      System.setProperty("javax.net.ssl.keyStoreType", "PKCS12")
      System.setProperty("javax.net.ssl.keyStorePassword", "changeit")
      System.setProperty("javax.net.debug", "ssl,handshake")

      However, I'm getting SSL Hanshake exception and according to the logs, the SSL client is not able to find proper client certificate requested by the server (even though the certificate exists in p12 file).

      I think this is caused by the 

      org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit.getSSLContext which ignores the key managers completely:

      KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
      org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias(
      tlsClientParameters, keyManagers);
      
      TrustManager[] trustManagers = tlsClientParameters.getTrustManagers();
      if (trustManagers == null) {
      trustManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultTrustStoreManagers(LOG);
      }

      I think that simply adding

      if (keyManagers == null) {
      keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG);
      }

      should solve the issue

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              slnowak Slawomir Nowak
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: