Quarkus CXF 3.16.0 release notes
Important dependency upgrades
-
Quarkus 3.15.x → 3.16.0 - release notes
New and noteworthy in Quarkus CXF
#1486 TLS Registry support
Quarkus TLS registry is an extension provided by Quarkus that centralizes the TLS configuration, making it easier to manage and maintain secure connections across your application.
|
|
This is the new recommended way of configuring trust stores, keystores and other TLS/SSL related settings in Quarkus CXF 3.16.0+:
# Define a TLS configuration with name "hello-tls" (1)
quarkus.tls.hello-tls.trust-store.p12.path = client-truststore.pkcs12
quarkus.tls.hello-tls.trust-store.p12.password = client-truststore-password
# Basic client settings
quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello
quarkus.cxf.client.hello.service-interface = io.quarkiverse.cxf.it.security.policy.HelloService
# Use "hello-tls" defined above for this client
quarkus.cxf.client.hello.tls-configuration-name = hello-tls| 1 | The referenced client-truststore.pkcs12 file has to be available either in the classpath
or in the file system. |
The new way of configuring TLS is optimized for the new Vert.x based CXF clients. For those, all client-related options provided by Quarkus TLS registry are supported.
The named TLS configurations provided by TLS registry can be also used for CXF clients having http-conduit-factory set to
URLConnectionHTTPConduitFactory, HttpClientHTTPConduitFactory or with
Async CXF clients on top of Apache HttpClient 5.
However, in those cases, the following TLS options are not supported and using them will lead to an exception at runtime:
The older way of configuring client trust stores and key stores is still supported, but deprecated since Quarkus CXF 3.16.0:
# Deprecated way of setting the client trust store
quarkus.cxf.client.hello.trust-store-type = pkcs12
quarkus.cxf.client.hello.trust-store = client-truststore.pkcs12
quarkus.cxf.client.hello.trust-store-password = client-truststore-passwordVert.x HttpClient based HTTP Conduit is the new default
Vert.x HttpClient based HTTP Conduit was introduced in Quarkus CXF 3.13.0.
Its usage was optional through setting the VertxHttpClientHTTPConduitFactory on either of the options
quarkus.cxf.client."client-name".http-conduit-factory or
quarkus.cxf.http-conduit-factory:
# Before Quarkus CXF 3.16.0, VertxHttpClientHTTPConduitFactory had to be set explicitly
# Set the HTTPConduitFactory per-client
quarkus.cxf.client."client-name".http-conduit-factory = VertxHttpClientHTTPConduitFactory
# Set the HTTPConduitFactory globally
quarkus.cxf.http-conduit-factory = VertxHttpClientHTTPConduitFactorySince then, it went through some improvements and testing so that we are now confident to make it default.
The main motivations for using Vert.x HttpClient based HTTP Conduit as a default are as follows:
-
Support for HTTP/2
-
Seamless integration with Quarkus, especially in the areas of worker thread poolling and SSL/TLS configuration.
Force the old default
Before this change, the effective default was URLConnectionHTTPConduitFactory.
It is still supported and tested regularly.
There are three ways how you can get back to the old default:
-
Set the
QUARKUS_CXF_DEFAULT_HTTP_CONDUIT_FACTORYenvironment variable toURLConnectionHTTPConduitFactory -
Set the global quarkus.cxf.http-conduit-factory option to
URLConnectionHTTPConduitFactory -
Set the per client quarkus.cxf.client."client-name".http-conduit-factory option to
URLConnectionHTTPConduitFactory
Hostname verifiers not supported in combination with VertxHttpClientHTTPConduitFactory
Since Quarkus CXF 3.16.0, setting
quarkus.cxf.client."client-name".hostname-verifier
together with using the default VertxHttpClientHTTPConduitFactory leads to an exception at runtime.
The AllowAllHostnameVerifier value of that option can be replaced by using a
named TLS configuration
with hostname-verification-algorithm
set to NONE.
Here is an example: if your configuration before Quarkus CXF 3.16.0 was as follows
# A configuration that worked before Quarkus CXF 3.16.0
quarkus.cxf.client.helloAllowAll.client-endpoint-url = https://localhost:8444/services/hello
quarkus.cxf.client.helloAllowAll.service-interface = io.quarkiverse.cxf.it.security.policy.HelloService
quarkus.cxf.client.helloAllowAll.trust-store = client-truststore.pkcs12
quarkus.cxf.client.helloAllowAll.trust-store-password = secret
quarkus.cxf.client.helloAllowAll.hostname-verifier = AllowAllHostnameVerifierthen an equivalent configuration for Quarkus CXF 3.16.0+ is
# An equivalent configuration for Quarkus CXF 3.16.0+
quarkus.tls.helloAllowAll.trust-store.p12.path = client-truststore.pkcs12
quarkus.tls.helloAllowAll.trust-store.p12.password = secret
quarkus.tls.helloAllowAll.hostname-verification-algorithm = NONE
quarkus.cxf.client.helloAllowAll.client-endpoint-url = https://localhost:8444/services/hello
quarkus.cxf.client.helloAllowAll.service-interface = io.quarkiverse.cxf.it.security.policy.HelloService
quarkus.cxf.client.helloAllowAll.tls-configuration-name = helloAllowAllDocumentation improvements
-
The following security related pages were consolidated into a new Security guide:
-
SSL, TLS and HTTPS - updated with the information about using TLS registry
-