[ https://issues.apache.org/jira/browse/CXF-6944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15339117#comment-15339117 ]
David Tarr edited comment on CXF-6944 at 6/20/16 7:47 AM: ---------------------------------------------------------- Sure: {code:java|title=some-init-method} SSLSocketFactory sslSocketFactory = getSslSocketFactory(); TLSClientParameters tlsClientParameters = new TLSClientParameters(); tlsClientParameters.setCertAlias("the-alias"); tlsClientParameters.setSSLSocketFactory(factory); ... Client client = ClientProxy.getClient(service); HTTPConduit conduit = (HTTPConduit) client.getConduit(); conduit.setTlsClientParameters(tlsClientParameters); .... // invoke service {code} {code:java|title=getSocketFactory()} TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(getTrustStore()); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); KeyManager[] keyManagers = keyManagerFactory.getKeyManagers(); SSLContext sslContext = SSLContext.getInstance("TLSv1"); sslContext.init(keyManagers, trustManagers, new SecureRandom()); return sslContext.getSocketFactory(); {code} {code:java|title=getTrustStore()} KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); InputStream streamToStore = ... keystore.load(streamToStore, keystorePassword); streamToStore.close(); return keystore; {code} When I debugged it, as far as I could tell, the trustmanager doesn't return any reference to cacerts. was (Author: david tarr): Sure: {code:java|title=some-init-method} SSLSocketFactory sslSocketFactory = getSslSocketFactory(); TLSClientParameters tlsClientParameters = new TLSClientParameters(); tlsClientParameters.setCertAlias("the-alias"); tlsClientParameters.setSSLSocketFactory(factory); ... Client client = ClientProxy.getClient(service); HTTPConduit conduit = (HTTPConduit) client.getConduit(); conduit.setTlsClientParameters(tlsClientParameters); .... // invoke service {code} {code:java|title=getSocketFactory()} TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(getTrustStore()); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); KeyManager[] keyManagers = keyManagerFactory.getKeyManagers(); SSLContext sslContext = SSLContext.getInstance("TLSv1"); sslContext.init(keyManagers, trustManagers, new SecureRandom()); return sslContext.getSocketFactory(); {code} {code|title=getTrustStore()} KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); InputStream streamToStore = ... keystore.load(streamToStore, keystorePassword); streamToStore.close(); return keystore; {code} When I debugged it, as far as I could tell, the trustmanager doesn't return any reference to cacerts. > cacerts is loaded while different truststore is specified > --------------------------------------------------------- > > Key: CXF-6944 > URL: https://issues.apache.org/jira/browse/CXF-6944 > Project: CXF > Issue Type: Improvement > Components: Transports > Affects Versions: 2.7.18 > Reporter: David Tarr > Priority: Minor > > It seems cxf still loads the cacerts eventhough a different truststore is > specified (programmatically - not via cxf.xml). Could this potentially load > to a security-risk? > When I movethe trusted key from the different truststore to cacerts, the > server is not trusted and the handshake fails. But I have not investigated > any further. > {noformat} > 2016-06-17 13:45:21,213 INFO [main] spring.BusApplicationContext - Loaded > configuration file cxf.xml. > 2016-06-17 13:45:21,213 INFO [main] > spring.ControlledValidationXmlBeanDefinitionReader - Loading XML bean > definitions from class path resource [META-INF/cxf/cxf.xml] > 2016-06-17 13:45:21,322 INFO [main] > spring.ControlledValidationXmlBeanDefinitionReader - Loading XML bean > definitions from class path resource [cxf.xml] > 2016-06-17 13:45:21,793 INFO [main] factory.ReflectionServiceFactoryBean - > Creating Service {http://www........com/.........}.... from class > ............. > keyStore is : > keyStore type is : jks > keyStore provider is : > init keystore > init keymanager of type SunX509 > trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts > trustStore type is : jks > trustStore provider is : > init truststore > ... > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)