How to configure a CXF endpoint to only support a specific version of TLS/SSL ?

Solution Verified - Updated 5 Aug 2024

Environment

JBoss Fuse 6.1

Issue

How can I configure a CXF endpoint to only support TLSv1.2 and not any earlier version of TLS or SSL?

Resolution

Configuring for a specific version of TLS is possible from JBoss Fuse 6.1 rollup 2 onwards. Earlier versions of JBoss Fuse do not allow to explicitly configure a specific TLS/SSL version to be used by the CXF server.
JBoss Fuse 6.1 rollup 1 patch 1 already disables support for SSLv3 do protect against the Poodle SSL vulnerability but it does not allow to explicitly configure a specific TLS/SSL version to be used. You can read about more about it in KCS 1237613.

The improvement Content from issues.jboss.org is not included.ENTESB-2455 is only implemented from JBoss Fuse 6.1 rollup 2 onwards. It back ports Content from issues.apache.org is not included.CXF-6087 to JBoss Fuse 6.1.

The documentation at Content from cxf.apache.org is not included.Content from cxf.apache.org is not included.http://cxf.apache.org/docs/tls-configuration.html seems to suggest that setting secureSocketProtocol as in

 <httpj:tlsServerParameters secureSocketProtocol="TLSv1.2">

on a CXF endpoint configuration could explicitly configure the desired SSL version. However this is not the case.

Setting secureSocketProtocol will make CXF pick an SSL provider that supports TLSv1.2 but it does not restrict the provider to only using TLSv1.2. The provider most likely supports lower TLS versions such as TLSv1.1, TLSv1 as well (SSLv3 is already disabled by the fix for Content from issues.jboss.org is not included.ENTESB-2134).

With the fix for Content from issues.jboss.org is not included.ENTESB-2455 / Content from issues.apache.org is not included.CXF-6087 in JBoss Fuse rollup 2, it is possible to explicitly exclude certain TLS/SSL versions in a CXF endpoint configuration using the excludeProtocols XML element.

<sec:excludeProtocols>
  <sec:excludeProtocol>TLSv1.1</sec:excludeProtocol>
  <sec:excludeProtocol>TLSv1</sec:excludeProtocol>
  <sec:excludeProtocol>SSLv3</sec:excludeProtocol>
</sec:excludeProtocols>

This configuration explicitly excludes certain SSLv3, TLSv1 and TLSv1.1 from the CXF server's SSL configuration.

Root Cause

Improvement Content from issues.jboss.org is not included.Content from issues.jboss.org is not included.https://issues.jboss.org/browse/ENTESB-2455 relates to Content from issues.apache.org is not included.Content from issues.apache.org is not included.https://issues.apache.org/jira/browse/CXF-6087.

Diagnostic Steps

A standalone CXF 3.0.3 based test case is attached in wsdl_first_https_tlsv1.2-3.0.3.tgz and needs to be place inside the samples folder of an Apache CXF 3.0.3 installation.
The embedded README.txt explains the demo.

Starting the server using this configuration (mvn -Pserver) the server accepts connections only using TLSv1.2 as verified using OpenSSL.

# works
openssl s_client -connect localhost:9001 -showcerts -debug -tls1_2

# fails
openssl s_client -connect localhost:9001 -showcerts -debug -tls1_1
openssl s_client -connect localhost:9001 -showcerts -debug -tls1
openssl s_client -connect localhost:9001 -showcerts -debug -ssl3

Starting the CXF server with these MAVEN_OPTS=-Djavax.net.debug=all in $MAVEN_OPTS, makes it log details about the SSL handshake as well (including the negotiated TLS version).

SBR

FuseSource

Product(s)

Red Hat Fuse

Components

fuse

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.