[jira] [Commented] (CXF-6944) cacerts is loaded while different truststore is specified

Mon, 20 Jun 2016 08:10:14 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15339668#comment-15339668
 ] 

Colm O hEigeartaigh commented on CXF-6944:
------------------------------------------

Ok thanks. I've looked into it and the SSL logs are a bit misleading. CXF 
obtains a HTTPUrlConnection object via url.openConnection(). This is 
subsequently "decorated" with the TLS settings. However, by the time 
openConnection() is called, the SSL context is not set up. That is why you see 
the default CA certs being listed - this occurs on openConnection(). However, 
openConnect() does not actually set up the network connection - by the time the 
connect is done, the correct truststore settings have been plugged in. 

Colm.

> cacerts is loaded while different truststore is specified
> ---------------------------------------------------------
>
>                 Key: CXF-6944
>                 URL: https://issues.apache.org/jira/browse/CXF-6944
>             Project: CXF
>          Issue Type: Improvement
>          Components: Transports
>    Affects Versions: 2.7.18
>            Reporter: David Tarr
>            Priority: Minor
>
> It seems cxf still loads the cacerts eventhough a different truststore is 
> specified (programmatically - not via cxf.xml). Could this potentially load 
> to a security-risk?
> When I movethe trusted key from the different truststore to cacerts, the 
> server is not trusted and the handshake fails. But I have not investigated 
> any further.
> {noformat}
> 2016-06-17 13:45:21,213 INFO  [main] spring.BusApplicationContext  - Loaded 
> configuration file cxf.xml.
> 2016-06-17 13:45:21,213 INFO  [main] 
> spring.ControlledValidationXmlBeanDefinitionReader  - Loading XML bean 
> definitions from class path resource [META-INF/cxf/cxf.xml]
> 2016-06-17 13:45:21,322 INFO  [main] 
> spring.ControlledValidationXmlBeanDefinitionReader  - Loading XML bean 
> definitions from class path resource [cxf.xml]
> 2016-06-17 13:45:21,793 INFO  [main] factory.ReflectionServiceFactoryBean  - 
> Creating Service {http://www........com/.........}.... from class 
> .............
> keyStore is : 
> keyStore type is : jks
> keyStore provider is : 
> init keystore
> init keymanager of type SunX509
> trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is : 
> init truststore
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to