I have implemented support for not validating server cert with libcurl
transport.
Let me know if you are using libcurl and would like a patch.
-----Original Message-----
From: Vivian Wang [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2008 11:51 PM
To: axis-c-dev@ws.apache.org
Cc: [EMAIL PROTECTED]
Subject: Re: a HTTPS/SSL question
Hi Dumindu,
So is it hard to provide such an option (turn on/off validation)?
I think this limitation really restrict axis2/c's usage under SSL.
In my case, I would like to access salesforce web service using a WSDL
refered to by the URL:
https://na2.salesforce.com/services/wsdl/metadata
All I know is this URL, and I don't know the CA certificate and server
cert, and I am not sure if they have one. I also have no way to know
they server host and port, so I won't be able to get their cert using
the openSSL commands listed in the axis2/c manual.
Any workarounds?
Thanks!
Vivian
>Hi Vivian,
>Please find my comment inline:
>
>On Wed, Oct 29, 2008 at 11:44 PM, Vivian Wang
><[EMAIL PROTECTED]>wrote:
>
>So is there an option in axis2/c that I can turn off the certificate
>> validation?
>
>
>No we don't support that at the moment.
>
>
>> I think this is important because from a client point of view, lots
of
>> times when I want to access a web service under SSL using https://..
I
>> know that is the site I want to go.
>
>
>Yes web browsers do support that, but in reality you don't know if
>that truly is the site that you want to access, if you don't have the
>server's certificate beforehand. (someone can spoof dns and appear
>themselves as https://foo.com). Yes I have neglected about well known
>Certificate Authorities for simplicity. If you trust the CA that issued
>the
>server cert, all you need is the CA's certificate.
>
>
>> And just like you said, browsers will ask you if you want to trust
the >site
>> and I can say yes or no.It would also be very inconvenient for a
client >to
>> have to get the certificate from a service provide (they may not give
>you).
>Anyway, if it is only for testing, what you can do is to follow the
>Axis2/C
>manual and retrieve the server cert from the server. [1] (refer to
>sec. 13.1.2 Configuration). Well you can do this even if it was not for
>testing, but it is not recommended to do so.
>Thanks,
>Dumindu.
>[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------
Confidentiality Notice: This electronic mail transmission is confidential,
may be privileged and should be read or retained only by the intended
recipient. If you have received this transmission in error, please
immediately notify the sender and delete it from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
