[
https://issues.apache.org/jira/browse/CXF-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12840719#action_12840719
]
Glen Mazza commented on CXF-2688:
---------------------------------
I disagree heavily with this change--it is a dangerous setting that if not
forgotten to be disabled, can create severe security problems with clients and
services using CXF, causing the CXF product to look very bad. Neither Metro
nor Axis2 provide this either.
Hence, I'm VETOing it (-1) until at least a couple of other CXF team members
speak in support of it. Then, I'll happily yield. Sorry--I just need more
than one committer to speak on behalf of this change.
The argument given for this, namely that "it can be painful to invoke services
with self-signed certificates on non-production environments" is a complete
joke. Using self-signed certs is a piece of cake as I've shown for HTTPS[1]
and also WS-Security w/X509 token profile[2].
Further, if you cannot use HTTPS for any reason, just downgrade to HTTP until
you can. "But I want to use HTTP although have the HTTPS protocol visible!!!"
is not a use case that CXF should be supporting.
All this change is saying is "Because of political issues with my present
project (and/or laziness on my end in needing to learn how to use self-signed
certs), it would be helpful for me if CXF had the ability to falsely
misrepresent that it is using HTTPS when it is actually using HTTP". For the
protection of the CXF product, that is not something we should be supporting.
[1] http://www.jroller.com/gmazza/entry/setting_up_ssl_and_basic
[2] http://www.jroller.com/gmazza/entry/cxf_x509_profile
> Allow deactivation of SSL X509 Certificates validation
> ------------------------------------------------------
>
> Key: CXF-2688
> URL: https://issues.apache.org/jira/browse/CXF-2688
> Project: CXF
> Issue Type: New Feature
> Components: Transports
> Affects Versions: 2.2.6
> Reporter: Cyrille Le Clerc
> Assignee: Cyrille Le Clerc
> Fix For: 2.2.7
>
> Attachments: CXF-2688.diff
>
>
> CXF client (JAXWS & JAXRS) for HTTPS calls currently only allows to disable
> hostname verification ({{<http-conf:tlsClientParameters disableCNCheck="true"
> />}}) but does not allow to disable X509 certificates checking.
> Due to this, it can be painful to invoke services with self-signed
> certificates on non-production environments (see sample stacktrace below).
> Here is a proposal to disable all X509 certificates in CXF (JAXWS & JAXRS)
> clients :
> * Add boolean attribute {{trustAllCertificates}} to
> {{<http-conf:tlsClientParameters ... />}},
> * In the {{HTTPConduit}}, if {{trustAllCertificates="true"}}, the
> {{HttpsURLConnectionFactory}} will use an 'accept all certificates'
> {{javax.net.ssl.X509TrustManager}} and an 'accept all'
> {{javax.net.ssl.HostnameVerifier}}.
> *Note* : this proposal adds an attribute {{trustAllCertificates}} to the
> {{TLSClientParametersType}} complex type and thus *this proposal requires to
> publish a new 'backward compatible'
> [http://cxf.apache.org/schemas/configuration/security.xsd]*.
> Configuration sample enabling 'trustAllCertificates' to invoke an HTTPS
> service:
> {code:xml}
> <jaxws:client id="helloWorldServiceClient"
> serviceClass="com.example.HelloWorldService"
> address="https://example.com/services/helloWorldService";>
> </jaxws:client>
> <http-conf:conduit
> name="{http://example.com/}HelloWorldServicePort.http-conduit";>
> <!-- trust all certificates (self signed certificates, etc) -->
> <http-conf:tlsClientParameters trustAllCertificates="true" />
>
> <http-conf:authorization>
> <security:UserName>my-user-name</security:UserName>
> <security:Password>my-password</security:Password>
> </http-conf:authorization>
> </http-conf:conduit>
> {code}
> CXF client exception's stacktrace with a self-signe certificate:
> {noformat}
> 2010/03/01 22:05:23,682 WARN [http-8080-1]
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
> {http://example.com/}HelloWorldServiceService#{http://example.com/}sayHi has
> thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Could not send Message.
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
> ...
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> at $Proxy69.sayHi(Unknown Source)
> ...
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ...
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> ...
> {noformat}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
