...
The TLS Parameters common to both Clients and Servers are given here:
Attribute | Default | Description |
---|---|---|
| JVM default Key Managers | Key Managers to hold X509 certificates. |
| JVM default Trust Managers | TrustManagers to validate peer X509 certificates. |
| JVM default provider associated with protocol | JSSE provider name. |
| JVM default cipher suites | CipherSuites that will be supported. |
|
| filters of the supported CipherSuites that will be supported and used if available. |
|
| Certificate Constraints specification. |
| JVM default Secure Random | SecureRandom specification. |
| "TLS" | Protocol Name. For example: "TLS", "TLSv1.2", "TLSv1.3". |
|
| Cert alias to use. Useful when keystore has multiple certs. |
enableRevocation CXF 3.1.11 | "false" | This attribute specifies whether to enable revocation when checking the client/server certificate. To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable"). |
Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.
...
If no exclusion filter is specified, the default ciphersuites that are excluded are as follows:. Note that if the user explicitly allows any of these in the inclusion filter, then they are not excluded by default. For example, if you want to allow "NULL" ciphersuites by adding an inclusion filter of ".*NULL.*" then this is removed from the default exclusion filters.
Default excluded CipherSuite Filter | Since CXF version |
---|---|
.* |
NULL |
.* | CXF 3.2.7 |
.* |
anon |
.* | CXF 3.2.7 |
.* |
DES |
.* | CXF 3. |
2. |
7 |
.* |
EXPORT |
.* | CXF 3. |
2. |
7 |
.* |
3DES |
.* | CXF 3.3.0 |
.* |
MD5 | CXF 3.3.0 |
.* |
CBC |
.* | CXF 3.3.0 |
.* |
RC4 |
.* | CXF 3.3.0 |
Example:
Code Block | ||||
---|---|---|---|---|
| ||||
<httpj:tlsServerParameters> ... <sec:cipherSuitesFilter> <sec:include>.*_WITH_AES_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> ... </httpj:tlsServerParameters> |
...
In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Clients:
Attribute | Default | Description |
---|---|---|
|
| Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to |
|
| A SSLSocketFactory to use. All other bean properties are ignored if this is set. |
| 86400 seconds (24 hours) | SSL Cache Timeout in seconds. |
|
| This attribute specifies if HttpsURLConnection.getDefaultSSLSocketFactory() should be used to create https connections. If ' |
|
| This attribute specifies if HttpsURLConnection.getDefaultHostnameVerifier() should be used to create https connections. If ' |
hostnameVerifier | A custom HostnameVerifier instance to use |
Disable CN Check
disableCNCheck
is a parameterized boolean, you can use a fixed variable true
|false
as well as a Spring externalized property variable (e.g. ${disable-https-hostname-verification
}) or a Spring expression (e.g. #{systemProperties['dev-mode']
}).
...
In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Servers:
Attribute | Default | Description |
---|---|---|
| Not "wanted" or "required" | Allows you to configure whether client authentication is "wanted" and/or "required. |
excludeProtocols | SSLv3 is disabled by default for Jetty from CXF 3.0.3 + 2.7.14 | The TLS protocols to exclude. |
includeProtocols CXF 3.1.1/3.0.6 | Allows you to add more protocols. For example, if you have a TLS protocol you could add support for "SSLv2Hello" here, for older clients. |
Client Authentication
This allows you to define whether client authentication is wanted and/or required.
...