Table of Contents |
---|
TLS Parameters common to both Clients and Servers
...
Attribute | Default | Description |
---|---|---|
| JVM default Key Managers | Key Managers to hold X509 certificates. |
| JVM default Trust Managers | TrustManagers to validate peer X509 certificates. |
| JVM default provider associated with protocol | JSSE provider name. |
| JVM default cipher suites | CipherSuites that will be supported. |
|
| filters of the supported CipherSuites that will be supported and used if available. |
|
| Certificate Constraints specification. |
| JVM default Secure Random | SecureRandom specification. |
| "TLS" | Protocol Name. Most common example are "SSL", "TLS" or "TLSv1". |
|
| Cert alias to use. Useful when keystore has multiple certs. |
Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the service side (if Jetty is used) unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.
Key Managers
The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:keyManagers keyPassword="stskpass">
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
</sec:keyManagers>
...
</httpj:tlsServerParameters>
|
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:trustManagers>
<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
</sec:trustManagers>
...
</httpj:tlsServerParameters>
|
...
The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.1 will also exclude all "DES" filters.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters> ... <sec:cipherSuitesFilter> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> ... </httpj:tlsServerParameters> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:certConstraints>
<sec:SubjectDNConstraints>
<sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
</sec:SubjectDNConstraints>
<sec:IssuerDNConstraints combinator="ALL">
<sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
<sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression>
</sec:IssuerDNConstraints>
</sec:certConstraints>
...
</httpj:tlsServerParameters>
|
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- deactivate HTTPS url hostname verification (localhost, etc) -->
<!-- WARNING ! disableCNcheck=true should NOT be used in production -->
<http-conf:tlsClientParameters disableCNCheck="true" />
...
|
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<httpj:tlsServerParameters>
...
<sec:clientAuthentication want="true" required="true" />
...
</httpj:tlsServerParameters>
|