WSP0075: Policy assertion “TransportBinding” was evaluated as “UNKNOWN”. Why?

Question

I am a client to a SOAP service I do not control (implemented in .NET). The service provides a WSDL. I use Apache CXF to generate the java client from the WSDL (specifically, I

Answer 1

I can reproduce this issue with the Express-1 label service:

2014-09-10 22:15:29.601  WARN 6564 --- [           main] c.s.x.i.w.w.EffectiveAlternativeSelector : WSP0075: Policy assertion "{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}TransportBinding" was evaluated as "UNKNOWN".                                              
2014-09-10 22:15:29.602  WARN 6564 --- [           main] c.s.x.i.w.w.EffectiveAlternativeSelector : WSP0019: Suboptimal policy alternative selected on the client side with fitness "UNKNOWN".                                                                                  

I believe the problem is that the policy you inline above requires Basic256 message encryption, but the service's SSL encryption is weaker.

For example, check out this WSDL:

https://service.express1.com/Services/EwsLabelService.svc?wsdl

At the very top you will see a policy identical to the one you give. But then if you look at the site's SSL cert, it is using AES_128_CBC, which is only 128-bit encryption.

See http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf, sections 7.1, 8.1 and 8.3 for information about TransportBinding policies and algorithm suites. I believe that the warning is saying is that the policy requires 256-bit encryption, but because the service doesn't support it, the client is choosing a weaker encryption algorithm in its place.

As this is a problem on the service side, probably the best way to fix it is to notify the party responsible for the service of the issue.