| |
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <html> |
| <head> |
| |
| <link type="text/css" rel="stylesheet" href="/resources/site.css"> |
| <script src='/resources/space.js'></script> |
| |
| <meta http-equiv="Content-type" content="text/html;charset=UTF-8"> |
| <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source"> |
| <meta name="description" content="Apache CXF, Services Framework - TLS Configuration"> |
| |
| |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css"> |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css"> |
| |
| <script src='/resources/highlighter/scripts/shCore.js'></script> |
| <script src='/resources/highlighter/scripts/shBrushXml.js'></script> |
| <script> |
| SyntaxHighlighter.defaults['toolbar'] = false; |
| SyntaxHighlighter.all(); |
| </script> |
| |
| |
| <title> |
| Apache CXF -- TLS Configuration |
| </title> |
| </head> |
| <body onload="init()"> |
| |
| |
| <table width="100%" cellpadding="0" cellspacing="0"> |
| <tr> |
| <td id="cell-0-0" colspan="2"> </td> |
| <td id="cell-0-1"> </td> |
| <td id="cell-0-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-1-0"> </td> |
| <td id="cell-1-1"> </td> |
| <td id="cell-1-2"> |
| <!-- Banner --> |
| <div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap> |
| <a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a> |
| </td><td align="right" colspan="1" nowrap> |
| <a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a> |
| </td></tr></table></div></div> |
| <!-- Banner --> |
| <div id="top-menu"> |
| <table border="0" cellpadding="1" cellspacing="0" width="100%"> |
| <tr> |
| <td> |
| <div align="left"> |
| <!-- Breadcrumbs --> |
| <a href="index.html">Index</a> > <a href="transports.html">Transports</a> > <a href="http-transport.html">HTTP Transport</a> > <a href="asynchronous-client-http-transport.html">Asynchronous Client HTTP Transport</a> > <a href="tls-configuration.html">TLS Configuration</a> |
| <!-- Breadcrumbs --> |
| </div> |
| </td> |
| <td> |
| <div align="right"> |
| <!-- Quicklinks --> |
| <div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div> |
| <!-- Quicklinks --> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </td> |
| <td id="cell-1-3"> </td> |
| <td id="cell-1-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-2-0" colspan="2"> </td> |
| <td id="cell-2-1"> |
| <table> |
| <tr valign="top"> |
| <td height="100%"> |
| <div id="wrapper-menu-page-right"> |
| <div id="wrapper-menu-page-top"> |
| <div id="wrapper-menu-page-bottom"> |
| <div id="menu-page"> |
| <!-- NavigationBar --> |
| <div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"> |
| <div> |
| <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> |
| <input type="hidden" name="ie" value="UTF-8"> |
| <input type="text" name="q" size="21"> |
| <input type="submit" name="sa" value="Search"> |
| </div> |
| </form> |
| <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div> |
| <!-- NavigationBar --> |
| </div> |
| </div> |
| </div> |
| </div> |
| </td> |
| <td height="100%"> |
| <!-- Content --> |
| <div class="wiki-content"> |
| <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/ |
| div.rbtoc1636141678381 {padding: 0px;} |
| div.rbtoc1636141678381 ul {list-style: disc;margin-left: 0px;} |
| div.rbtoc1636141678381 li {margin-left: 0px;padding-left: 0px;} |
| |
| /*]]>*/</style></p><div class="toc-macro rbtoc1636141678381"> |
| <ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TLSCipherSuites">TLS CipherSuites</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-CipherSuites">CipherSuites</a></li><li><a shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li></ul> |
| </li><li><a shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul> |
| </li><li><a shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-DisableCNCheck">Disable CN Check</a></li></ul> |
| </li><li><a shape="rect" href="#TLSConfiguration-ServerTLSParameters">Server TLS Parameters</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-ClientAuthentication">Client Authentication</a></li></ul> |
| </li></ul> |
| </div><h1 id="TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</h1><p>The TLS Parameters common to both Clients and Servers are given <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java">here</a>:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>keyManagers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Key Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key Managers to hold X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>trustManagers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Trust Managers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TrustManagers to validate peer X509 certificates.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>jsseProvider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default provider associated with protocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JSSE provider name.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>cipherSuites</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default cipher suites</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>CipherSuites that will be supported.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>cipherSuitesFilter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>filters of the supported CipherSuites that will be supported and used if available.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certConstraints</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Certificate Constraints specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>secureRandomParameters</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>JVM default Secure Random</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SecureRandom specification.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>secureSocketProtocol</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>"TLS"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Protocol Name. For example: "TLS", "TLSv1.2", "TLSv1.3".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certAlias</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Cert alias to use. Useful when keystore has multiple certs.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">enableRevocation CXF 3.1.11</td><td colspan="1" rowspan="1" class="confluenceTd">"false"</td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies whether to enable revocation when checking the client/server certificate.</p><p>To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable").</p></td></tr></tbody></table></div><p><br clear="none"></p><p>Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.</p><h2 id="TLSConfiguration-KeyManagers">Key Managers</h2><p>The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Key Manager sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:keyManagers keyPassword="stskpass"> |
| <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /> |
| </sec:keyManagers> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div><h2 id="TLSConfiguration-TrustManagers">Trust Managers</h2><p>The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Trust Manager sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:trustManagers> |
| <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /> |
| </sec:trustManagers> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div><h2 id="TLSConfiguration-TLSCipherSuites">TLS CipherSuites</h2><p>When CXF selects the CipherSuites to use in a TLS Connection, it selects them in the following order:</p><ol><li>If we have defined explicit "cipherSuite" configuration (see below)</li><li>If we have defined ciphersuites via the system property "https.cipherSuites".</li><li>The default JVM CipherSuites, if no filters (see below) have been defined</li><li>Filter the supported cipher suites (*not* the default JVM CipherSuites)</li></ol><h3 id="TLSConfiguration-CipherSuites">CipherSuites</h3><p>We can select explicit CipherSuites to use in configuration, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:cipherSuites> |
| <sec:cipherSuite>TLS_AES_128_GCM_SHA256</sec:cipherSuite> |
| </sec:cipherSuites> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div><h3 id="TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</h3><p>The CipherSuites Filter is used to either include or exclude particular CipherSuites. An inclusion filter must be specified or else no ciphersuites will be included, the exclusion filter is optional. Please note that care must be taken when using ciphersuite filters, are they operate on all of the <strong>supported</strong> ciphersuites (as opposed to the default JVM ciphersuites that are used if no filter is specified). It is recommended instead to either select a specific CipherSuite (see above) or else just rely on the default JVM ciphersuites by not specifying any cipherSuite or cipherSuiteFilter configuration.</p><p>If no exclusion filter is specified, the default ciphersuites that are excluded are as follows. Note that if the user explicitly allows any of these in the inclusion filter, then they are not excluded by default. For example, if you want to allow "NULL" ciphersuites by adding an inclusion filter of ".*NULL.*" then this is removed from the default exclusion filters.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Default excluded CipherSuite Filter</th><th colspan="1" rowspan="1" class="confluenceTh">Since CXF version</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*NULL.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.2.7</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*anon.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.2.7</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*EXPORT.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.2.7</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*DES.* (note: includes 3DES)</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*MD5</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*CBC.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*RC4.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr></tbody></table></div><p>Example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:cipherSuitesFilter> |
| <sec:include>.*_WITH_AES_.*</sec:include> |
| <sec:exclude>.*_DH_anon_.*</sec:exclude> |
| </sec:cipherSuitesFilter> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div><h2 id="TLSConfiguration-CertConstraints">Cert Constraints</h2><p>Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:certConstraints> |
| <sec:SubjectDNConstraints> |
| <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression> |
| </sec:SubjectDNConstraints> |
| <sec:IssuerDNConstraints combinator="ALL"> |
| <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression> |
| <sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression> |
| </sec:IssuerDNConstraints> |
| </sec:certConstraints> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div><h1 id="TLSConfiguration-ClientTLSParameters">Client TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParameters.java">specific</a> to Clients:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>disableCNCheck</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to true (not recommended for production use), such checks will be bypassed. That will allow you, for example, to use a URL such as localhost during development.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>sslSocketFactory</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A SSLSocketFactory to use. All other bean properties are ignored if this is set.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>sslCacheTimeout</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>86400 seconds (24 hours)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SSL Cache Timeout in seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>useHttpsURLConnectionDefaultSslSocketFactory</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultSSLSocketFactory()" rel="nofollow">HttpsURLConnection.getDefaultSSLSocketFactory()</a> should be used to create https connections. If 'true', 'jsseProvider', 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 'cipherSuites' and 'cipherSuitesFilter' configuration parameters are ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>useHttpsURLConnectionDefaultHostnameVerifier</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>false</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This attribute specifies if <a shape="rect" class="external-link" href="http://java.sun.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html#getDefaultHostnameVerifier()" rel="nofollow">HttpsURLConnection.getDefaultHostnameVerifier()</a> should be used to create https connections. If 'true', 'disableCNCheck' configuration parameter is ignored.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">hostnameVerifier</td><td colspan="1" rowspan="1" class="confluenceTd"><br clear="none"></td><td colspan="1" rowspan="1" class="confluenceTd">A custom HostnameVerifier instance to use</td></tr></tbody></table></div><h2 id="TLSConfiguration-DisableCNCheck">Disable CN Check</h2><p><code>disableCNCheck</code> is a parameterized boolean, you can use a fixed variable <code>true</code>|<code>false</code> as well as a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer" rel="nofollow">Spring externalized property</a> variable (e.g. <code>${disable-https-hostname-verification</code>}) or a <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/expressions.html#expressions-beandef" rel="nofollow">Spring expression</a> (e.g. <code>#{systemProperties['dev-mode']</code>}).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>HTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc)</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <!-- deactivate HTTPS url hostname verification (localhost, etc) --> |
| <!-- WARNING ! disableCNcheck=true should NOT be used in production --> |
| <http-conf:tlsClientParameters disableCNCheck="true" /> |
| ... |
| </pre> |
| </div></div><h1 id="TLSConfiguration-ServerTLSParameters">Server TLS Parameters</h1><p>In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/cxf/trunk/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParameters.java">specific</a> to Servers:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Attribute</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>clientAuthentication</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Not "wanted" or "required"</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Allows you to configure whether client authentication is "wanted" and/or "required.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">excludeProtocols</td><td colspan="1" rowspan="1" class="confluenceTd">SSLv3 is disabled by default for Jetty from CXF 3.0.3 + 2.7.14</td><td colspan="1" rowspan="1" class="confluenceTd">The TLS protocols to exclude.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">includeProtocols CXF 3.1.1/3.0.6</td><td colspan="1" rowspan="1" class="confluenceTd"><br clear="none"></td><td colspan="1" rowspan="1" class="confluenceTd">Allows you to add more protocols. For example, if you have a TLS protocol you could add support for "SSLv2Hello" here, for older clients.</td></tr></tbody></table></div><h2 id="TLSConfiguration-ClientAuthentication">Client Authentication</h2><p>This allows you to define whether client authentication is wanted and/or required.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Client Authentication sample</b></div><div class="codeContent panelContent pdl"> |
| <pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters> |
| ... |
| <sec:clientAuthentication want="true" required="true" /> |
| ... |
| </httpj:tlsServerParameters> |
| </pre> |
| </div></div></div> |
| </div> |
| <!-- Content --> |
| </td> |
| </tr> |
| </table> |
| </td> |
| <td id="cell-2-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-3-0"> </td> |
| <td id="cell-3-1"> </td> |
| <td id="cell-3-2"> |
| <div id="footer"> |
| <!-- Footer --> |
| <div id="site-footer"> |
| <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> - |
| (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34014457">edit page</a>) |
| (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=34014457&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br> |
| Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br> |
| All other marks mentioned may be trademarks or registered trademarks of their respective owners. |
| </div> |
| <!-- Footer --> |
| </div> |
| </td> |
| <td id="cell-3-3"> </td> |
| <td id="cell-3-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-4-0" colspan="2"> </td> |
| <td id="cell-4-1"> </td> |
| <td id="cell-4-2" colspan="2"> </td> |
| </tr> |
| </table> |
| |
| <script type="text/javascript"> |
| var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); |
| document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); |
| </script> |
| <script type="text/javascript"> |
| try { |
| var pageTracker = _gat._getTracker("UA-4458903-1"); |
| pageTracker._trackPageview(); |
| } catch(err) {}</script> |
| |
| </body> |
| </html> |
| |
