I think it will read the global CA configuration anyway first, but then use the conduit keystore configuration. If you enable SSL debug logging can you see the certs stored in your truststore being loaded? Do you still see the same error?
Colm. On Tue, Mar 20, 2018 at 1:42 PM, Tóth Csaba <[email protected]> wrote: > Hello! > the > <http:conduit name="https://localhost:.*";> > not worked (same error), so I try to dig deeper, and find out, the > keystore definition was wrong. I fix it, and its read the > "*.http-conduit" > too, but when I try to test, its read the global keystore again and not > what I defined in the conduit: > ------------ > ... > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > trustStore is: C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts > trustStore type is : jks > trustStore provider is : > init truststore > .... > ----------------- > > Csaba > > On 2018.03.20. 11:26, Colm O hEigeartaigh wrote: > > What if you use something like this instead? > > > > <http:conduit name="https://localhost:.*";> > > > > If that doesn't work (with the correct domain name) then it looks like > the > > config is not getting picked up properly. > > > > Colm. > > > > On Mon, Mar 19, 2018 at 4:56 PM, Tóth Csaba <[email protected]> wrote: > > > >> Hello! > >> > >> I'd like call webservice from a server. I created everything, jut I need > >> help to config the conduit proper: > >> <http:conduit > >> name="{urn:ihe:iti:hpd:2010}ProviderInformationDirectory_ > >> Port_Soap12.http-conduit"> > >> <http:tlsClientParameters> > >> <sec:keyManagers keyPassword="password"> > >> <sec:keyStore type="JKS" password="password" > >> file="key/ldapClient.jks"/> > >> </sec:keyManagers> > >> <sec:trustManagers> > >> <sec:keyStore type="JKS" password="password" > >> file="key/ldapClient.jks"/> > >> </sec:trustManagers> > >> <sec:cipherSuitesFilter> > >> <!-- these filters ensure that a ciphersuite with > >> export-suitable or null encryption is used, > >> but exclude anonymous Diffie-Hellman key change as > >> this is vulnerable to man-in-the-middle attacks --> > >> <sec:include>.*_EXPORT_.*</sec:include> > >> <sec:include>.*_EXPORT1024_.*</sec:include> > >> <sec:include>.*_WITH_DES_.*</sec:include> > >> <sec:include>.*_WITH_AES_.*</sec:include> > >> <sec:include>.*_WITH_NULL_.*</sec:include> > >> <sec:exclude>.*_DH_anon_.*</sec:exclude> > >> </sec:cipherSuitesFilter> > >> </http:tlsClientParameters> > >> > >> </http:conduit> > >> the port name in the wsdl: > >> <port name="ProviderInformationDirectory_Port_Soap12" > >> and the > >> targetNamespace="urn:ihe:iti:hpd:2010" > >> > >> and its look like not working (the ssl log search the cert in the global > >> java keystore and not in the conduit defined one) > >> I try with: > >> {urn:ihe:iti:hpd:2010}ProviderInformationDirectory_ > >> Port_Soap12.http-conduit > >> {urn:ihe:iti:hpd:2010}*.http-conduit > >> *ProviderInformationDirectory_Port_Soap12.http-conduit > >> with the same result. > >> if I try with "*.http-conduit" I get an error: > >> Error creating bean with name '*.http-conduit': Cannot create inner bean > >> '(inner bean)#7a90b2df' of type > >> [org.apache.cxf.configuration.jsse.TLSClientParametersConfig] while > >> setting bean property 'tlsClientParameters' > >> > >> thanx for any help > >> > >> Csaba > >> > >> > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
