Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8253

Provide a way to disable TLS trust verification for the OSGi HttpConduitConfigApplier

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.7, 3.4.0
    • Component/s: None
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      When configuring TLS using properties in an OSGi container via HttpConduitConfigApplier, there is no easy way to disable TLS trust verification (for testing). For Spring + Blueprint it's easy enough to configure an insecure Trust Manager implementation, for example:

       

      <bean id="trustManagers" class="org.apache.cxf.transport.https.InsecureTrustManager" factory-method="getNoOpX509TrustManagers"/>
      
      <http:conduit name="https://localhost:.*">
          <http:tlsClientParameters disableCNCheck="true">
              <sec:trustManagers ref="trustManagers" />
          </http:tlsClientParameters>
      </http:conduit>
      

      This task is to add a new configuration property called "trustManagers.disableTrustVerification", which if set to "true" will call InsecureTrustManager.getNoOpX509TrustManagers under the hood, to disable TLS trust verification.

      Obviously this is insecure and should only be used for testing! InsecureTrustManager prints a LOG along these lines at warning level.

       

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              coheigea Colm O hEigeartaigh
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: