How service-side HTTPS cipher suite filters are defined

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How service-side HTTPS cipher suite filters are defined

Glen Mazza
Administrator
Hello, I'd like to confirm something:

The CXF documentation shows where cipher suite filters can be defined on the client-side:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html

However, for service-side, you apparently need to configure the underlying servlet container and not the web service itself, for example here with Jetty:
https://cwiki.apache.org/confluence/display/CXF20DOC/Standalone+HTTP+Transport
http://fusesource.com/docs/framework/2.2/security/i343422.html

And Tomcat has a "ciphers" element that will apparently do the same thing: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html.

So there is no web-service level configuration of cipher suite filters, but just that of the servlet container (or Endpoint implementation) hosting the web service, correct?

Thanks,
Glen
Reply | Threaded
Open this post in threaded view
|

Re: How service-side HTTPS cipher suite filters are defined

Daniel  Kulp
Administrator
On Tuesday 17 August 2010 9:59:54 am Glen Mazza wrote:

> Hello, I'd like to confirm something:
>
> The CXF documentation shows where cipher suite filters can be defined on
> the client-side:
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
>
> However, for service-side, you apparently need to configure the underlying
> servlet container and not the web service itself, for example here with
> Jetty:
> https://cwiki.apache.org/confluence/display/CXF20DOC/Standalone+HTTP+Transp
> ort http://fusesource.com/docs/framework/2.2/security/i343422.html
>
> And Tomcat has a "ciphers" element that will apparently do the same thing:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html.
>
> So there is no web-service level configuration of cipher suite filters, but
> just that of the servlet container (or Endpoint implementation) hosting the
> web service, correct?

That's correct.   For the most part, the ciphers and such are part of the
socket level negotiation of SSL/TLS.   Thus, it occurs long before CXF really
has any say in anything.   That's why it needs to be configured on the
container or jetty directly.


--
Daniel Kulp
[hidden email]
http://dankulp.com/blog