Re: a HTTPS/SSL question

[Uthaiyashankar]

Hi Vivian,

see my comments...
Vivian Wang wrote:
Hi Dumindu,

So is it hard to provide such an option (turn on/off validation)?
I think this limitation really restrict axis2/c's usage under SSL.
In my case, I would like to access salesforce web service using a WSDL
refered to by the URL:

    https://na2.salesforce.com/services/wsdl/metadata

All I know is this URL, and I don't know the CA certificate and server cert, 
and I am not sure if they have one.

They DO have one. otherwise, you can't communicate through https.

 I also have no way to know they server host and port,

use server host as "na2.salesforce.com" and port as "443".  If you are 
on windows,

openssl s_client -connect na2.salesforce.com:443

will give you the certificate. If you are on Linux, check the 
corresponding command in Axis2/C manual.

Regards,
Shankar.

 so I won't be able to get their cert using the openSSL commands listed in the 
axis2/c manual.

Any workarounds?

Thanks!

Vivian


  
Hi Vivian,
Please find my comment inline:

On Wed, Oct 29, 2008 at 11:44 PM, Vivian Wang ><[EMAIL PROTECTED]>wrote:

So is there an option in axis2/c that I can turn off the certificate
    
validation?
      
No we don't support that at the moment.


    
I think this is important because from a client point of view, lots of
times when I want to access a web service under SSL using https://.. I
know that is the site I want to go.
      
Yes web browsers do support that, but in reality you don't know if
that truly is the site that you want to access, if you don't have the
server's certificate beforehand. (someone can spoof dns and appear
themselves as https://foo.com). Yes I have neglected about well known
Certificate Authorities for simplicity. If you trust the CA that issued >the
server cert, all you need is the CA's certificate.


    
And just like you said, browsers will ask you if you want to trust the >site
and I can say yes or no.It would also be very inconvenient for a client >to
have to get the certificate from a service provide (they may not give >you).
      


  
Anyway, if it is only for testing, what you can do is to follow the >Axis2/C
manual and retrieve the server cert from the server. [1] (refer to
sec. 13.1.2 Configuration). Well you can do this even if it was not for
testing, but it is not recommended to do so.
    

  
Thanks,
Dumindu.
    

  
[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client
    



      

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



  


--
S.Uthaiyashankar
Software Architect
WSO2 Inc. 
http://wso2.com/ - "The Open Source SOA Company" 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]