TLS Parameters common to both Clients and Servers

The TLS Parameters common to both Clients and Servers are given here:

Attribute

Default

Description

keyManagers

JVM default Key Managers

Key Managers to hold X509 certificates.

trustManagers

JVM default Trust Managers

TrustManagers to validate peer X509 certificates.

jsseProvider

JVM default provider associated with protocol

JSSE provider name.

cipherSuites

JVM default cipher suites

CipherSuites that will be supported.

cipherSuitesFilter


filters of the supported CipherSuites that will be supported and used if available.

certConstraints


Certificate Constraints specification.

secureRandomParameters

JVM default Secure Random

SecureRandom specification.

secureSocketProtocol

"TLS"

Protocol Name. For example: "TLS", "TLSv1.2", "TLSv1.3".

certAlias


Cert alias to use. Useful when keystore has multiple certs.

enableRevocation CXF 3.1.11"false"

This attribute specifies whether to enable revocation when checking the client/server certificate.

To enable "ocsp" this should be set to "true" (along with the Java Security property "ocsp.enable").


Note that from CXF 3.0.3 and 2.7.14, the SSLv3 protocol is disabled on the client side, and on the service side (if Jetty is used), unless "SSLv3" is explicitly specified for the "secureSocketProtocol" parameter.

Key Managers

The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication.

Key Manager sample
    <httpj:tlsServerParameters>
        ...
        <sec:keyManagers keyPassword="stskpass">
            <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
        </sec:keyManagers>
        ...
    </httpj:tlsServerParameters>

Trust Managers

The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients.

Trust Manager sample
    <httpj:tlsServerParameters>
        ...
        <sec:trustManagers>
            <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
        </sec:trustManagers>
        ...
    </httpj:tlsServerParameters>

TLS CipherSuites

When CXF selects the CipherSuites to use in a TLS Connection, it selects them in the following order:

  1. If we have defined explicit "cipherSuite" configuration (see below)
  2. If we have defined ciphersuites via the system property "https.cipherSuites".
  3. The default JVM CipherSuites, if no filters (see below) have been defined
  4. Filter the supported cipher suites (*not* the default JVM CipherSuites)

CipherSuites

We can select explicit CipherSuites to use in configuration, for example:

CipherSuites sample
    <httpj:tlsServerParameters>
        ...
         <sec:cipherSuites>
             <sec:cipherSuite>TLS_AES_128_GCM_SHA256</sec:cipherSuite>
         </sec:cipherSuites>
        ...
    </httpj:tlsServerParameters>

CipherSuites Filter

The CipherSuites Filter is used to either include or exclude particular CipherSuites. An inclusion filter must be specified or else no ciphersuites will be included, the exclusion filter is optional. Please note that care must be taken when using ciphersuite filters, are they operate on all of the supported ciphersuites (as opposed to the default JVM ciphersuites that are used if no filter is specified). It is recommended instead to either select a specific CipherSuite (see above) or else just rely on the default JVM ciphersuites by not specifying any cipherSuite or cipherSuiteFilter configuration.

If no exclusion filter is specified, the default ciphersuites that are excluded are as follows. Note that if the user explicitly allows any of these in the inclusion filter, then they are not excluded by default. For example, if you want to allow "NULL" ciphersuites by adding an inclusion filter of ".*NULL.*" then this is removed from the default exclusion filters.

Default excluded CipherSuite FilterSince CXF version
.*NULL.*CXF 3.2.7
.*anon.*CXF 3.2.7
.*EXPORT.*CXF 3.2.7
.*DES.* (note: includes 3DES)CXF 3.3.0
.*MD5CXF 3.3.0
.*CBC.*CXF 3.3.0
.*RC4.*CXF 3.3.0

Example:

CipherSuites Filter sample
    <httpj:tlsServerParameters>
        ...
        <sec:cipherSuitesFilter>
            <sec:include>.*_WITH_AES_.*</sec:include>
            <sec:exclude>.*_DH_anon_.*</sec:exclude>
        </sec:cipherSuitesFilter>
        ...
    </httpj:tlsServerParameters>

Cert Constraints

Cert constraints can be used by either the client or server to impose constraints on the peer certificates. This can be done by specifying a set of regular expressions on either the Subject DN (Distinguished Name) or the Issuer DN (or both) of the certificate. A "combinator" attribute can also be specified for either the SubjectDNConstraints or IssuerDNConstraints Elements. This attribute can be either "ANY" or "ALL", and refers to whether any or all of the defined regular expressions should apply. The default value is "ALL".

CipherSuites Filter sample
    <httpj:tlsServerParameters>
        ...
        <sec:certConstraints>
            <sec:SubjectDNConstraints>
                <sec:RegularExpression>.*OU=Morpit.*</sec:RegularExpression>
            </sec:SubjectDNConstraints>
            <sec:IssuerDNConstraints combinator="ALL">
                <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
                <sec:RegularExpression>.*O=OtherApacheTest.*</sec:RegularExpression>
            </sec:IssuerDNConstraints>
        </sec:certConstraints>
        ...
    </httpj:tlsServerParameters>

Client TLS Parameters

In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Clients:

Attribute

Default

Description

disableCNCheck

false

Indicates whether that the hostname given in the HTTPS URL will be checked against the service's Common Name (CN) given in its certificate during requests, and failing if there is a mismatch. If set to true (not recommended for production use), such checks will be bypassed. That will allow you, for example, to use a URL such as localhost during development.

sslSocketFactory


A SSLSocketFactory to use. All other bean properties are ignored if this is set.

sslCacheTimeout

86400 seconds (24 hours)

SSL Cache Timeout in seconds.

useHttpsURLConnectionDefaultSslSocketFactory

false

This attribute specifies if HttpsURLConnection.getDefaultSSLSocketFactory() should be used to create https connections. If 'true', 'jsseProvider', 'secureSocketProtocol', 'trustManagers', 'keyManagers', 'secureRandom', 'cipherSuites' and 'cipherSuitesFilter' configuration parameters are ignored.

useHttpsURLConnectionDefaultHostnameVerifier

false

This attribute specifies if HttpsURLConnection.getDefaultHostnameVerifier() should be used to create https connections. If 'true', 'disableCNCheck' configuration parameter is ignored.

hostnameVerifier
A custom HostnameVerifier instance to use

Disable CN Check

disableCNCheck is a parameterized boolean, you can use a fixed variable true|false as well as a Spring externalized property variable (e.g. ${disable-https-hostname-verification}) or a Spring expression (e.g. #{systemProperties['dev-mode']}).

HTTP conduit configuration disabling HTTP URL hostname verification (usage of localhost, etc)
   <!-- deactivate HTTPS url hostname verification (localhost, etc)    -->
   <!-- WARNING ! disableCNcheck=true should NOT be used in production -->
   <http-conf:tlsClientParameters disableCNCheck="true" />
   ...

Server TLS Parameters

In addition to the TLS Parameters common to both Clients and Servers, there are some parameters that are specific to Servers:

Attribute

Default

Description

clientAuthentication

Not "wanted" or "required"

Allows you to configure whether client authentication is "wanted" and/or "required.

excludeProtocolsSSLv3 is disabled by default for Jetty from CXF 3.0.3 + 2.7.14The TLS protocols to exclude.
includeProtocols CXF 3.1.1/3.0.6
Allows you to add more protocols. For example, if you have a TLS protocol you could add support for "SSLv2Hello" here, for older clients.

Client Authentication

This allows you to define whether client authentication is wanted and/or required.

Client Authentication sample
    <httpj:tlsServerParameters>
        ...
        <sec:clientAuthentication want="true" required="true" />
        ...
    </httpj:tlsServerParameters>