Ok i fixed the source to fetch WSDL from https (it is not perfect yet as it
does not use the truststore yet but this I can fix) - I will share later in a
Jira.
It is however now unable to locate the imported document /Authentication?xsd=2
relative to Authenticaton?wsdl#types1
I will look into this, but if someone has come cross it then please let me know.
> Am 16.01.2020 um 10:22 schrieb Jörn Franke <jornfra...@gmail.com>:
>
>
> Coming back to the original topic. I believe SSL was never fully solved from
> what i read in the corresponding issue. Apparently, the fetching of the WSDL
> itself through https was not possible. Do you remember still some insights
> beyond what is written in the issue ?
>
>>> Am 16.01.2020 um 00:37 schrieb Karl Wright <daddy...@gmail.com>:
>>>
>>
>> Let me think about that option.
>>
>> Karl
>>
>>
>>> On Wed, Jan 15, 2020 at 5:38 PM Jörn Franke <jornfra...@gmail.com> wrote:
>>> We could make it configurable, e.g. in properties.xml. Here people could
>>> set it to SSL, TLS, TLSv1.2 (to restrict it to TLS1.2 => some companies may
>>> want that!). Is this a viable option? That would be also future proof. We
>>> can leave it by default to SSL, but we should put in the example config
>>> files TLS by default (so new starters do not get even the idea to use an
>>> outdated protocol) AND put a comment with recommendation to use/enforce
>>> always newest protocols for security reasons. Of course, the choice is then
>>> with the people using the software.
>>> Could that be something sensible from your point of view?
>>>
>>>> On Wed, Jan 15, 2020 at 11:14 PM Karl Wright <daddy...@gmail.com> wrote:
>>>> It's rather immaterial what browsers do here. What's important is what
>>>> *existing servers* support, since that is what we're connecting with.
>>>>
>>>> I tend to agree that *most* people have probably upgraded to web servers
>>>> that support TLS. But we can't guarantee it, nor can we assume that
>>>> people have upgraded to the most modern version of TLS exclusively. In
>>>> fact I think we can assume they have *not*. When the SSL issues were
>>>> discovered a couple of years back, the standard recommendation was simply
>>>> to *disable* SSLv1 and SSLv2, not to upgrade to Java 11 or some such. We
>>>> still support (and have people using!!) early forms of NTLM (v1 to be
>>>> specific), for instance. We're not going to be able to wag the dog here.
>>>> Breaking changes of this kind usually mean we go to a whole new major
>>>> version of MCF.
>>>>
>>>> However, if you can show that SSLContext.getSSLFactory("TLS") produces a
>>>> SSLSocketFactory that works with all versions of TLS and SSL that do not
>>>> have known security holes, I would support changing over to that. If it
>>>> turns out we need much more specificity about the kind of SSLSocketFactory
>>>> we produce, then we need a better solution anyhow for handling multiple
>>>> protocols in one socket factory.
>>>>
>>>> Karl
>>>>
>>>>
>>>>> On Wed, Jan 15, 2020 at 5:17 AM Jörn Franke <jornfra...@gmail.com> wrote:
>>>>> Hi Karl,
>>>>>
>>>>> No it does not. I can look into that further, but Current browsers stop
>>>>> supporting anything below TLSv1.2 in March 2020.
>>>>> Then TLS exists since more than ten years. I expect any server running
>>>>> nowadays will always have tls support.
>>>>> SSL itself is not supported since some time now. From a security
>>>>> perspective it should even break servers that run only SSL as they are
>>>>> inherently insecure and also clients that only support SSL are adding to
>>>>> this.
>>>>> However if you have an idea how this should be made configurable then I
>>>>> can look into this.
>>>>>
>>>>> Best regards
>>>>>
>>>>>>> Am 15.01.2020 um 10:52 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Mcf currently requires jdk8. Jdk11 is non trivial to support because of
>>>>>> the removal of many jdk classes connectors need. It will be ported at
>>>>>> some point but not lightly.
>>>>>>
>>>>>> Similarly, disabling SSL would certainly break many installations upon
>>>>>> upgrade and we do not do that lightly.
>>>>>>
>>>>>> The core methods that mcf supplies its connectors should therefore be
>>>>>> updated to support but not mandate tls. The protocol specification one
>>>>>> gives to sslcontext is not a detailed one but rather a major version.
>>>>>> What I don't know is whether"tlsv1" also allows for older protocols etc.
>>>>>>
>>>>>> Karl
>>>>>>
>>>>>>> On Wed, Jan 15, 2020, 1:19 AM Jörn Franke <jornfra...@gmail.com> wrote:
>>>>>>> Yes I am doing that but I will need to rebuild.
>>>>>>> I don’t recommend TLSv1 - this is already outphased and will lock out
>>>>>>> TLSv1.2. I try TLS only as it includes all TLS protocols (depends on
>>>>>>> JDK).
>>>>>>>
>>>>>>> SSL will not be supported by this (however as I said there are other
>>>>>>> parts of the code where there is a getInstance(TLS). And some caveats:
>>>>>>> On JDK6+7 TLS only means TLSv1 (and newer TLS Protocols are
>>>>>>> deactivated) on JDK8 it means also that newer TLS protocols are enabled.
>>>>>>> To be honest in my opinion - a SSL only one is a significant security
>>>>>>> hole and given how old TLS support is JDK i would be surprised if there
>>>>>>> is someone using such a server (most Organisations should switch to
>>>>>>> TLSv1.2 in any case as all protocols below have been broken).
>>>>>>> While it works for all JDKs - probably JDK8 should be recommended as it
>>>>>>> seems to have all TLS protocols activated when using „TLS“. Older JDKs
>>>>>>> seem to deactivate TLSv1.1 and TLSv1.2 when using TLS. I will write
>>>>>>> more about this in the JIRA, once I verified that this solves the
>>>>>>> problem.
>>>>>>> Then TLSv1.3 is JDK11 only - I will investigate what that implies.
>>>>>>> Does ManifoldCf supports JDK11?
>>>>>>>
>>>>>>>>> Am 15.01.2020 um 00:08 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>
>>>>>>>>
>>>>>>>> I think you can just change the code to read as follows when it
>>>>>>>> creates the SSLContext:
>>>>>>>>
>>>>>>>> SSLContext ctx = SSLContext.getInstance("TLSv1");
>>>>>>>>
>>>>>>>> I don't know if TLS will downgrade to SSL if that's all that's
>>>>>>>> available.
>>>>>>>>
>>>>>>>> Karl
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Tue, Jan 14, 2020 at 6:02 PM Jörn Franke <jornfra...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>> Yes it you do not change this setting as what I suspect happens here.
>>>>>>>>> See my previous mail for details.
>>>>>>>>>
>>>>>>>>>>> Am 14.01.2020 um 23:51 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> It looks looks TLS is actually enabled in the SSLSocketFactory
>>>>>>>>>> framework based on how you create the SSLSocketContext. See:
>>>>>>>>>>
>>>>>>>>>> https://docs.oracle.com/cd/E19698-01/816-7609/security-83/index.html
>>>>>>>>>>
>>>>>>>>>> Karl
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On Tue, Jan 14, 2020 at 5:48 PM Karl Wright <daddy...@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>> The design of ManifoldCF deliberately manages keystores on a
>>>>>>>>>>> connection by connection basis, not globally. If you think the
>>>>>>>>>>> only way to implement TLS is via global keystore I very much doubt
>>>>>>>>>>> it.
>>>>>>>>>>>
>>>>>>>>>>> I am on the road until late tomorrow but somewhere along the line I
>>>>>>>>>>> can do some research into why TLS won't work as we are currently
>>>>>>>>>>> doing it.
>>>>>>>>>>>
>>>>>>>>>>> Karl
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke
>>>>>>>>>>>> <jornfra...@gmail.com> wrote:
>>>>>>>>>>>> These are TLS only. So maybe you have other servers where tls and
>>>>>>>>>>>> ssl are possible and it downgrades to ssl.however, this is
>>>>>>>>>>>> speculation and I need to verify it. I have to rebuilt manifold
>>>>>>>>>>>> for that. Probably I have to reinstall everything as the
>>>>>>>>>>>> keystorefactory is a dependency in the connector.
>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you can recommend changes to support TLS, that would be great.
>>>>>>>>>>>>> The basic infrastructure should still work; it is just a custom
>>>>>>>>>>>>> keystone and associated SSLSocketFactory, which I think also is
>>>>>>>>>>>>> used for TLS connections, unless I am missing something.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfra...@gmail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Yes this works fine. I believe the error comes from the fact
>>>>>>>>>>>>>> that TLS connections are not supported.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar
>>>>>>>>>>>>>>>> <michael.ciz...@mcplusa.com>:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you want to test the url and the ssl, I would recommend
>>>>>>>>>>>>>>> attempting using SSLPoke to confirm that they keystore is setup
>>>>>>>>>>>>>>> properly:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://github.com/MichalHecko/SSLPoke
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Michael
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> From: Karl Wright <daddy...@gmail.com>
>>>>>>>>>>>>>>> Reply-To: "user@manifoldcf.apache.org"
>>>>>>>>>>>>>>> <user@manifoldcf.apache.org>
>>>>>>>>>>>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM
>>>>>>>>>>>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>>>>>>>>>>>> Subject: Re: CSWS Connector : ServiceConstructionException:
>>>>>>>>>>>>>>> Failed to create service
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hmm, others have succeeded setting up SSL connections with the
>>>>>>>>>>>>>>> current code. Hoping they chime in here.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Karl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke
>>>>>>>>>>>>>>> <jornfra...@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It seems that it has indeed a certificate issue as it cannot
>>>>>>>>>>>>>>> find a valid certification path to the target. The thing is: I
>>>>>>>>>>>>>>> added those certificates in the UI should it should not happen.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke
>>>>>>>>>>>>>>> <jornfra...@gmail.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2.15 ...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I will try on the weekend to see if I can get some logs out of
>>>>>>>>>>>>>>> it.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Can I ask what version of MCF you are using? There were issues
>>>>>>>>>>>>>>> with SSL in the first release of the csws connector if I recall
>>>>>>>>>>>>>>> correctly, that were fixed for the second release.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Karl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke
>>>>>>>>>>>>>>> <jornfra...@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I added root, intermediate and server certificate (in base64
>>>>>>>>>>>>>>> cer, it seems to be recognized by manifoldcf), but I still get
>>>>>>>>>>>>>>> the same message. I will try to get somehow the full stacktrace
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you are using SSL you need to have the proper certificate
>>>>>>>>>>>>>>> saved in the connection's keystore.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Karl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke
>>>>>>>>>>>>>>> <jornfra...@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It is actually a server using configuration of the command -
>>>>>>>>>>>>>>> driven multi-process model (but the agents executed as a
>>>>>>>>>>>>>>> service and the war on a tomcat executed as a service) under
>>>>>>>>>>>>>>> Linux.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I thought as well that it cannot reach the webservices, the
>>>>>>>>>>>>>>> question is why. On the same server I can reach the webservices
>>>>>>>>>>>>>>> and fetch the WSDL without issues.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Maybe sth related to ssl ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddy...@gmail.com>:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How are you running manifoldcf? Single process example, or a
>>>>>>>>>>>>>>> custom setup of some kind?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This exception is a "catch all" exception generated far below
>>>>>>>>>>>>>>> anything in ManifoldCF, but usually means it cannot download
>>>>>>>>>>>>>>> the WSDLs from the service. Getting the full exception dumped
>>>>>>>>>>>>>>> in the log requires a "hack" to the check() method of the
>>>>>>>>>>>>>>> connector, but I'm pretty sure that's what's happening anyway.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Karl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke
>>>>>>>>>>>>>>> <jornfra...@gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I tried to use the CSWS connector, but already for the
>>>>>>>>>>>>>>> Authority connection I receive a
>>>>>>>>>>>>>>> org.apache.cxf.service.factory.ServiceConstructionException:
>>>>>>>>>>>>>>> Failed to create service.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Unfortunately I don’t see more details , also not in the log
>>>>>>>>>>>>>>> (debug is activated). I try to get a little bit more output by
>>>>>>>>>>>>>>> modifying the connector, but maybe someone has already an idea
>>>>>>>>>>>>>>> why this can happen?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Are there some special instructions to use it? The pointers to
>>>>>>>>>>>>>>> the webservices are correct, I tested via Curl and SOAPUI.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>>> Best regards
