TLS Parameters common to both Clients and Servers
The TLS Parameters common to both Clients and Servers are given here:
Attribute |
Default |
Description |
---|---|---|
|
JVM default Key Managers |
Key Managers to hold X509 certificates. |
|
JVM default Trust Managers |
TrustManagers to validate peer X509 certificates. |
|
JVM default provider associated with protocol |
JSSE provider name. |
|
JVM default cipher suites |
CipherSuites that will be supported. |
|
|
filters of the supported CipherSuites that will be supported and used if available. |
|
|
Certificate Constraints specification. |
|
JVM default Secure Random |
SecureRandom specification. |
|
"TLS" |
Protocol Name. Most common example are "SSL", "TLS" or "TLSv1". |
|
|
Cert alias to use. Useful when keystore has multiple certs. |
Key Managers
The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.
<httpj:tlsServerParameters> ... <sec:keyManagers keyPassword="stskpass"> <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /> </sec:keyManagers> ... </httpj:tlsServerParameters>
Trust Managers
The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.
<httpj:tlsServerParameters> ... <sec:trustManagers> <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /> </sec:trustManagers> ... </httpj:tlsServerParameters>
CipherSuites Filter
The CipherSuites Filter is used to either include or exclude particular CipherSuites.
<httpj:tlsServerParameters> ... <sec:cipherSuitesFilter> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> ... </httpj:tlsServerParameters>
Cert Constraints
Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".
<httpj:tlsServerParameters> ... <sec:certConstraints> <sec:SubjectDNConstraints> <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression> </sec:SubjectDNConstraints> <sec:IssuerDNConstraints combinator="ALL"> <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression> <sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression> </sec:IssuerDNConstraints> </sec:certConstraints> ... </httpj:tlsServerParameters>
Client TLS Parameters
In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Clients:
Attribute |
Default |
Description |
---|---|---|
|
|
Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to |
|
|
A SSLSocketFactory to use. All other bean properties are ignored if this is set. |
|
86400 seconds (24 hours) |
SSL Cache Timeout in seconds. |
|
|
This attribute specifies if HttpsURLConnection.getDefaultSSLSocketFactory() should be used to create https connections. If ' |
|
|
This attribute specifies if HttpsURLConnection.getDefaultHostnameVerifier() should be used to create https connections. If ' |
Disable CN Check
disableCNCheck
is a parameterized boolean, you can use a fixed variable true
|false
as well as a Spring externalized property variable (e.g. ${disable-https-hostname-verification
}) or a Spring expression (e.g. #{systemProperties['dev-mode']
}).
<!-- deactivate HTTPS url hostname verification (localhost, etc) --> <!-- WARNING ! disableCNcheck=true should NOT be used in production --> <http-conf:tlsClientParameters disableCNCheck="true" /> ...
Server TLS Parameters
In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Servers:
Attribute |
Default |
Description |
---|---|---|
|
Not "wanted" or "required" |
Allows you to configure whether client authentication is "wanted" and/or "required. |
Client Authentication
This allows you to define whether client authentication is wanted and/or required.
<httpj:tlsServerParameters> ... <sec:clientAuthentication want="true" required="true" /> ... </httpj:tlsServerParameters>