Yes I am doing that but I will need to rebuild. I don’t recommend TLSv1 - this is already outphased and will lock out TLSv1.2. I try TLS only as it includes all TLS protocols (depends on JDK).
SSL will not be supported by this (however as I said there are other parts of the code where there is a getInstance(TLS). And some caveats: On JDK6+7 TLS only means TLSv1 (and newer TLS Protocols are deactivated) on JDK8 it means also that newer TLS protocols are enabled. To be honest in my opinion - a SSL only one is a significant security hole and given how old TLS support is JDK i would be surprised if there is someone using such a server (most Organisations should switch to TLSv1.2 in any case as all protocols below have been broken). While it works for all JDKs - probably JDK8 should be recommended as it seems to have all TLS protocols activated when using „TLS“. Older JDKs seem to deactivate TLSv1.1 and TLSv1.2 when using TLS. I will write more about this in the JIRA, once I verified that this solves the problem. Then TLSv1.3 is JDK11 only - I will investigate what that implies. Does ManifoldCf supports JDK11? > Am 15.01.2020 um 00:08 schrieb Karl Wright <daddy...@gmail.com>: > > > I think you can just change the code to read as follows when it creates the > SSLContext: > > SSLContext ctx = SSLContext.getInstance("TLSv1"); > > I don't know if TLS will downgrade to SSL if that's all that's available. > > Karl > > >> On Tue, Jan 14, 2020 at 6:02 PM Jörn Franke <jornfra...@gmail.com> wrote: >> Yes it you do not change this setting as what I suspect happens here. See my >> previous mail for details. >> >>>> Am 14.01.2020 um 23:51 schrieb Karl Wright <daddy...@gmail.com>: >>>> >>> >>> It looks looks TLS is actually enabled in the SSLSocketFactory framework >>> based on how you create the SSLSocketContext. See: >>> >>> https://docs.oracle.com/cd/E19698-01/816-7609/security-83/index.html >>> >>> Karl >>> >>> >>>> On Tue, Jan 14, 2020 at 5:48 PM Karl Wright <daddy...@gmail.com> wrote: >>>> The design of ManifoldCF deliberately manages keystores on a connection by >>>> connection basis, not globally. If you think the only way to implement >>>> TLS is via global keystore I very much doubt it. >>>> >>>> I am on the road until late tomorrow but somewhere along the line I can do >>>> some research into why TLS won't work as we are currently doing it. >>>> >>>> Karl >>>> >>>> >>>>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke <jornfra...@gmail.com> wrote: >>>>> These are TLS only. So maybe you have other servers where tls and ssl are >>>>> possible and it downgrades to ssl.however, this is speculation and I need >>>>> to verify it. I have to rebuilt manifold for that. Probably I have to >>>>> reinstall everything as the keystorefactory is a dependency in the >>>>> connector. >>>>> >>>>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>> >>>>>> >>>>>> If you can recommend changes to support TLS, that would be great. The >>>>>> basic infrastructure should still work; it is just a custom keystone and >>>>>> associated SSLSocketFactory, which I think also is used for TLS >>>>>> connections, unless I am missing something. >>>>>> >>>>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfra...@gmail.com> wrote: >>>>>>> Yes this works fine. I believe the error comes from the fact that TLS >>>>>>> connections are not supported. >>>>>>> >>>>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar >>>>>>>>> <michael.ciz...@mcplusa.com>: >>>>>>>>> >>>>>>>> >>>>>>>> If you want to test the url and the ssl, I would recommend attempting >>>>>>>> using SSLPoke to confirm that they keystore is setup properly: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> https://github.com/MichalHecko/SSLPoke >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Michael >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: Karl Wright <daddy...@gmail.com> >>>>>>>> Reply-To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org> >>>>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM >>>>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org> >>>>>>>> Subject: Re: CSWS Connector : ServiceConstructionException: Failed to >>>>>>>> create service >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hmm, others have succeeded setting up SSL connections with the current >>>>>>>> code. Hoping they chime in here. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Karl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke <jornfra...@gmail.com> wrote: >>>>>>>> >>>>>>>> It seems that it has indeed a certificate issue as it cannot find a >>>>>>>> valid certification path to the target. The thing is: I added those >>>>>>>> certificates in the UI should it should not happen. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke <jornfra...@gmail.com>: >>>>>>>> >>>>>>>> 2.15 ... >>>>>>>> >>>>>>>> I will try on the weekend to see if I can get some logs out of it. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>> >>>>>>>> Can I ask what version of MCF you are using? There were issues with >>>>>>>> SSL in the first release of the csws connector if I recall correctly, >>>>>>>> that were fixed for the second release. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Karl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke <jornfra...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> I added root, intermediate and server certificate (in base64 cer, it >>>>>>>> seems to be recognized by manifoldcf), but I still get the same >>>>>>>> message. I will try to get somehow the full stacktrace >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>> >>>>>>>> If you are using SSL you need to have the proper certificate saved in >>>>>>>> the connection's keystore. >>>>>>>> >>>>>>>> Karl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke <jornfra...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> It is actually a server using configuration of the command - driven >>>>>>>> multi-process model (but the agents executed as a service and the war >>>>>>>> on a tomcat executed as a service) under Linux. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I thought as well that it cannot reach the webservices, the question >>>>>>>> is why. On the same server I can reach the webservices and fetch the >>>>>>>> WSDL without issues. >>>>>>>> >>>>>>>> Maybe sth related to ssl ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddy...@gmail.com>: >>>>>>>> >>>>>>>> How are you running manifoldcf? Single process example, or a custom >>>>>>>> setup of some kind? >>>>>>>> >>>>>>>> This exception is a "catch all" exception generated far below anything >>>>>>>> in ManifoldCF, but usually means it cannot download the WSDLs from the >>>>>>>> service. Getting the full exception dumped in the log requires a >>>>>>>> "hack" to the check() method of the connector, but I'm pretty sure >>>>>>>> that's what's happening anyway. >>>>>>>> >>>>>>>> Karl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke <jornfra...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I tried to use the CSWS connector, but already for the Authority >>>>>>>> connection I receive a >>>>>>>> org.apache.cxf.service.factory.ServiceConstructionException: Failed to >>>>>>>> create service. >>>>>>>> >>>>>>>> Unfortunately I don’t see more details , also not in the log (debug is >>>>>>>> activated). I try to get a little bit more output by modifying the >>>>>>>> connector, but maybe someone has already an idea why this can happen? >>>>>>>> >>>>>>>> Are there some special instructions to use it? The pointers to the >>>>>>>> webservices are correct, I tested via Curl and SOAPUI. >>>>>>>> >>>>>>>> >>>>>>>> Thank you. >>>>>>>> Best regards