manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörn Franke <jornfra...@gmail.com>
Subject Re: CSWS Connector : ServiceConstructionException: Failed to create service
Date Wed, 15 Jan 2020 10:16:33 GMT
Hi Karl,

No it does not. I can look into that further, but Current browsers stop supporting anything
below TLSv1.2 in March 2020.
Then TLS exists since more than ten years. I expect any server running nowadays will always
have tls support.
SSL itself is not supported since some time now. From a security perspective it should even
break servers that run only SSL as they are inherently insecure and also clients that only
support SSL are adding to this.
However if you have an idea how this should be made configurable then I can look into this.


Best regards 

> Am 15.01.2020 um 10:52 schrieb Karl Wright <daddywri@gmail.com>:
> 
> 
> Hi,
> 
> Mcf currently requires jdk8.  Jdk11 is non trivial to support because of the removal
of many jdk classes connectors need.  It will be ported at some point but not lightly.
> 
> Similarly, disabling SSL would certainly break many installations upon upgrade  and we
do not do that lightly.
> 
> The core methods that mcf supplies its connectors should therefore be updated to support
but not mandate tls.  The protocol specification one gives to sslcontext is not a detailed
one but rather a major version.  What I don't know is whether"tlsv1" also allows for older
protocols etc.
> 
> Karl
> 
>> On Wed, Jan 15, 2020, 1:19 AM Jörn Franke <jornfranke@gmail.com> wrote:
>> Yes I am doing that but I will need to rebuild.
>> I don’t recommend TLSv1 - this is already outphased and will lock out TLSv1.2.
I try TLS only as it includes all TLS protocols (depends on JDK).
>> 
>> SSL will not be supported by this (however as I said there are other parts of the
code where there is a getInstance(TLS). And some caveats: On JDK6+7 TLS only means TLSv1 (and
newer TLS Protocols are deactivated) on JDK8 it means also that newer TLS protocols are enabled.
>> To be honest in my opinion - a SSL only one is a significant security hole and given
how old TLS support is JDK i would be surprised if there is someone using such a server (most
Organisations should switch to TLSv1.2 in any case as all protocols below have been broken).

>> While it works for all JDKs - probably JDK8 should be recommended as it seems to
have all TLS protocols activated when using „TLS“. Older JDKs seem to deactivate TLSv1.1
and TLSv1.2 when using TLS. I will write more about this in the JIRA, once I verified that
this solves the problem. 
>> Then TLSv1.3 is JDK11 only - I will investigate what that implies.
>> Does ManifoldCf supports JDK11?
>> 
>>>> Am 15.01.2020 um 00:08 schrieb Karl Wright <daddywri@gmail.com>:
>>>> 
>>> 
>>> I think you can just change the code to read as follows when it creates the SSLContext:
>>> 
>>> SSLContext ctx = SSLContext.getInstance("TLSv1");
>>> 
>>> I don't know if TLS will downgrade to SSL if that's all that's available.
>>> 
>>> Karl
>>> 
>>> 
>>>> On Tue, Jan 14, 2020 at 6:02 PM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>> Yes it you do not change this setting as what I suspect happens here. See
my previous mail for details.
>>>> 
>>>>>> Am 14.01.2020 um 23:51 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>> 
>>>>> 
>>>>> It looks looks TLS is actually enabled in the SSLSocketFactory framework
based on how you create the SSLSocketContext.  See:
>>>>> 
>>>>> https://docs.oracle.com/cd/E19698-01/816-7609/security-83/index.html

>>>>> 
>>>>> Karl
>>>>>  
>>>>> 
>>>>>> On Tue, Jan 14, 2020 at 5:48 PM Karl Wright <daddywri@gmail.com>
wrote:
>>>>>> The design of ManifoldCF deliberately manages keystores on a connection
by connection basis, not globally.  If you think the only way to implement TLS is via global
keystore I very much doubt it.
>>>>>> 
>>>>>> I am on the road until late tomorrow but somewhere along the line
I can do some research into why TLS won't work as we are currently doing it.
>>>>>> 
>>>>>> Karl
>>>>>> 
>>>>>> 
>>>>>>> On Tue, Jan 14, 2020 at 12:56 PM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>> These are TLS only. So maybe you have other servers where tls
and ssl are possible and it downgrades to ssl.however, this is speculation and I need to verify
it. I have to rebuilt manifold for that. Probably I have to reinstall everything as the keystorefactory
is a dependency in the connector.
>>>>>>> 
>>>>>>>>> Am 14.01.2020 um 18:34 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> If you can recommend changes to support TLS, that would be
great.  The basic infrastructure should still work; it is just a custom keystone and associated
SSLSocketFactory, which I think also is used for TLS connections, unless I am missing something.
>>>>>>>> 
>>>>>>>>> On Tue, Jan 14, 2020, 9:38 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>>> Yes this works fine. I believe the error comes from the
fact that TLS connections are not supported. 
>>>>>>>>> 
>>>>>>>>>>> Am 14.01.2020 um 15:31 schrieb Michael Cizmar
<michael.cizmar@mcplusa.com>:
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> If you want to test the url and the ssl, I would
recommend attempting using SSLPoke to confirm that they keystore is setup properly:
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> https://github.com/MichalHecko/SSLPoke
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Michael
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> From: Karl Wright <daddywri@gmail.com>
>>>>>>>>>> Reply-To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>>>>>>> Date: Tuesday, January 14, 2020 at 7:21 AM
>>>>>>>>>> To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
>>>>>>>>>> Subject: Re: CSWS Connector : ServiceConstructionException:
Failed to create service
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Hmm, others have succeeded setting up SSL connections
with the current code.  Hoping they chime in here.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Karl
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> On Tue, Jan 14, 2020, 8:19 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>>>> 
>>>>>>>>>> It seems that it has indeed a certificate issue as
it cannot find a valid certification path to the target. The thing is: I added those certificates
in the UI should it should not happen.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Am 10.01.2020 um 20:51 schrieb Jörn Franke <jornfranke@gmail.com>:
>>>>>>>>>> 
>>>>>>>>>> 2.15 ...
>>>>>>>>>> 
>>>>>>>>>> I will try on the weekend to see if I can get some
logs out of it. 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Am 10.01.2020 um 19:02 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>>>> 
>>>>>>>>>> Can I ask what version of MCF you are using?  There
were issues with SSL in the first release of the csws connector if I recall correctly, that
were fixed for the second release.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Karl
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> On Fri, Jan 10, 2020 at 11:42 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>>>> 
>>>>>>>>>> I added root, intermediate and server certificate
(in base64 cer, it seems to be recognized by manifoldcf), but I still get the same message.
I will try to get somehow the full stacktrace 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Am 10.01.2020 um 17:21 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>>>> 
>>>>>>>>>> If you are using SSL you need to have the proper
certificate saved in the connection's keystore.
>>>>>>>>>> 
>>>>>>>>>> Karl
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> On Fri, Jan 10, 2020 at 11:20 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>>>> 
>>>>>>>>>> It is actually a server using configuration of the
command - driven multi-process model (but the agents executed as a service and the war on
a tomcat executed as a service) under Linux.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> I thought as well that it cannot reach the webservices,
the question is why. On the same server I can reach the webservices and fetch the WSDL without
issues.
>>>>>>>>>> 
>>>>>>>>>> Maybe sth related to ssl ?
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Am 10.01.2020 um 14:59 schrieb Karl Wright <daddywri@gmail.com>:
>>>>>>>>>> 
>>>>>>>>>> How are you running manifoldcf?  Single process example,
or a custom setup of some kind?
>>>>>>>>>> 
>>>>>>>>>> This exception is a "catch all" exception generated
far below anything in ManifoldCF, but usually means it cannot download the WSDLs from the
service.  Getting the full exception dumped in the log requires a "hack" to the check() method
of the connector, but I'm pretty sure that's what's happening anyway.
>>>>>>>>>> 
>>>>>>>>>> Karl
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> On Fri, Jan 10, 2020 at 8:50 AM Jörn Franke <jornfranke@gmail.com>
wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi,
>>>>>>>>>> 
>>>>>>>>>> I tried to use the CSWS connector, but already for
the Authority connection I receive a org.apache.cxf.service.factory.ServiceConstructionException:
Failed to create service.
>>>>>>>>>> 
>>>>>>>>>> Unfortunately I don’t see more details , also not
in the log (debug is activated). I try to get a little bit more output by modifying the connector,
but maybe someone has already an idea why this can happen?
>>>>>>>>>> 
>>>>>>>>>> Are there some special instructions to use it? The
pointers to the webservices are correct, I tested via Curl and SOAPUI.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Thank you.
>>>>>>>>>> Best regards

Mime
View raw message