Hi Ted, thank you for your response. Unfortunately neither of the suggested approaches works for me whenever I additionally set a custom endpoint URL that differs from the one in WSDL. Also setting the "trust-all" manager on HttpsURLConection would in my opinion totally disable server certificate validation while I want it only for the given web service port.
According to the observed behavior I assume that setting a custom endpoint URL results in a different HTTPConduit being used, which does not have the custom LSClientParameters set. Br, Stepan From: Ted <[email protected]> To: [email protected] Date: 16.05.2013 02:14 Subject: Re: Overriding TLSClientParameters after overriding endpoint address oh one thing you might want to check, since you're trying to "trustall" in your certificates, in addition to the above, I had to setup another bit some where else (context startup listener for the webapp) TrustAllManager[] tam = { new TrustAllManager() }; SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, tam, new SecureRandom()); SSLSocketFactory sslSocketFactory = ctx.getSocketFactory(); HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory); HostnameVerifier hostNameVerifier = new HostnameVerifier() { @Override public boolean verify(String host, SSLSession sslSession) { return(true); } }; HttpsURLConnection.setDefaultHostnameVerifier(hostNameVerifier); On 5/16/13, Ted <[email protected]> wrote: > I do that in cxf 2.7.4 and oracle jdk1.7, it looks very similar to > what you're doing although maybe in a different order : > > AccountWsService service = new AccountWsService(myServiceUrl); > AccountWs wsPort = service.getAccountWsPort(); > > Client cxfClient = ClientProxy.getClient(wsPort); > HTTPConduit httpConduit = (HTTPConduit) cxfClient.getConduit(); > > TLSClientParameters tslClientParameters = > httpConduit.getTlsClientParameters(); > if (tslClientParameters == null) tslClientParameters = new > TLSClientParameters(); > tslClientParameters.setDisableCNCheck(true); > TrustAllManager[] tam = { new TrustAllManager() }; > tslClientParameters.setTrustManagers(tam); > tslClientParameters.setSecureSocketProtocol("SSLv3"); > httpConduit.setTlsClientParameters(tslClientParameters); > > HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); > httpClientPolicy.setConnection(ConnectionType.KEEP_ALIVE); > httpClientPolicy.setConnectionTimeout(connectionTimeout); > httpClientPolicy.setAllowChunking(false); > httpClientPolicy.setReceiveTimeout(receiveTimeout); > httpConduit.setClient(httpClientPolicy); > > > On 5/15/13, Stepan Seycek <[email protected]> wrote: >> Hallo, >> >> I run into problems when I try to set TLSClientParameters ond the HTTP >> Conduit of a client where I also override the ENDPOINT_ADDRESS. The >> result >> is that my TLSClientParameters are not considered at all (certificate >> validation error). If I do not override the ENDPOINT_ADDRESS, it works as >> expected. Could anybody point me to a solution that allows me to set >> both, >> the endpoint and a cutstom trust manager? >> >> Code (tested with CXF 2.7.4, Java 7): >> >> private <PortT> void setupSoapPort(PortT soapPort) { >> Client soapClient = ClientProxy.getClient(soapPort); >> >> // set endpoint and timeouts >> soapClient.getRequestContext().put(Message.ENDPOINT_ADDRESS, >> this.endpoint); >> HTTPConduit conduit = (HTTPConduit) soapClient.getConduit(); >> HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); >> httpClientPolicy.setConnectionTimeout(this.connectTimeout); >> httpClientPolicy.setReceiveTimeout(this.receiveTimeout); >> conduit.setClient(httpClientPolicy); >> >> // enable cookie based sessions >> ((BindingProvider)soapPort).getRequestContext().put( >> BindingProvider.SESSION_MAINTAIN_PROPERTY, "true"); >> >> // disable server certificate validation if requested >> if (false == this.sslValidateServerCert && >> this.endpoint.toLowerCase().startsWith("https://";)) { >> TrustManager[] trustAllCerts = new TrustManager[]{ >> new javax.net.ssl.X509TrustManager() { >> public X509Certificate[] getAcceptedIssuers() {return null;} >> public void checkClientTrusted(X509Certificate[] certs, String >> authType) {} >> public void checkServerTrusted(X509Certificate[] certs, String >> authType) {} >> } >> }; >> TLSClientParameters tlsParams = new TLSClientParameters(); >> tlsParams.setTrustManagers(trustAllCerts); >> tlsParams.setDisableCNCheck(true); >> conduit.setTlsClientParameters(tlsParams); >> } >> } >> >> Thanks in advance, >> Stepan >> > > > -- > Ted. > -- Ted.
