commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ol...@bluewin.ch
Subject Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Date Tue, 11 May 2004 16:19:13 GMT
Dennis

> sun.security.validator.ValidatorException: No trusted certificate found

As you can see from the error message above, the verification of the certificate
chain has been delegated to the standard Sun's certificate validator, which
does not quite like 'home-made' certificates.

EasyX509TrustManager and EasySSLProtocolSocketFactory classes have never
been intended for use without adjustments to specific requirements of individual
applications. That's why these classes are not part of the standard HttpClient
library in the first place

In its stock implementation EasyX509TrustManager checks the length of the
certificate chain. If the certificate chain consists of more than one certificate,
the EasyX509TrustManager passes control to the standard trust manager and
washes the hands. See code below

    /**
     * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(X509Certificate[])
     */
    public boolean isServerTrusted(X509Certificate[] certificates) {
        if ((certificates != null) && LOG.isDebugEnabled()) {
            LOG.debug("Server certificate chain:");
            for (int i = 0; i < certificates.length; i++) {
                LOG.debug("X509Certificate[" + i + "]=" + certificates[i]);
            }
        }
        if ((certificates != null) && (certificates.length == 1)) {
            X509Certificate certificate = certificates[0];
            try {
                certificate.checkValidity(); 
            }
            catch (CertificateException e) {
                LOG.error(e.toString());
                return false;
            }
            return true;
        } else {
            return this.standardTrustManager.isServerTrusted(certificates);
        }
    }

Apparently the target server uses a little more complicated setup than a
trivial self-signed certificate. You should carefully analyze the security
requirements of your application and modify the EasyX509TrustManager to meet
your specific needs (for instance, by ensuring that all the certificate in
the certificate chain are trusted, that is, signed by a trusted CA). In the
most extreme case if you really do not care about SSL authentication you
may choose to trust all certificates by making isServerTrusted always return
<tt>true</tt>. 

Hope this helps

Oleg



>-- Original Message --
>Reply-To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
>From: Dennis Crall <dennis-crall@uiowa.edu>
>Subject: Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
>Date: Tue, 11 May 2004 10:52:30 -0500
>To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
>
>
>
>Oleg,
>
>Thank you very much. I now have EasySSLProtocolSocketFactory compiling.

>
>However, I am still getting the same exception:
>
>javax.net.ssl.SSLHandshakeException:  
>sun.security.validator.ValidatorException: No trusted certificate found
>
>The code I'm using is as follows. The instructions seemed pretty  
>straightforward. Do you see anything wrong? (The server I'm connecting 

>to is using port 444).
>
>Protocol easyhttps = new Protocol( "https", new  
>EasySSLProtocolSocketFactory(), 444 );
>HttpClient client = new HttpClient();
>client.getHostConfiguration().setHost("remote.host", 444, easyhttps);
>HttpMethod method = new GetMethod( fullURL );
>
>Thank you for your help,
>
>Dennis
>
>
>
>On May 11, 2004, at 9:55 AM, olegk@bluewin.ch wrote:
>
>> Dennis
>>
>> There are two branches of HttpClient: 2.0 (stable) and development  
>> (unstable,
>> which will eventually become 3.0). The SSL guide unfortunately points

>
>> at
>> the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I  
>> was long
>> going to fix the problem but there had always been more pressing  
>> issues I
>> needed to turn my attention to. I'll do my (very) best to fix the SSL

>
>> guide
>> tonight. Meanwhile use the link below to get the 2.0 version of the  
>> easy
>> SSL protocol factory:
>>
>> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/ 
>> contrib/org/apache/commons/httpclient/contrib/ssl/? 
>> only_with_tag=HTTPCLIENT_2_0_BRANCH
>>
>> Oleg
>>
>>
>>> -- Original Message --
>>> Reply-To: "Jakarta Commons Users List"  
>>> <commons-user@jakarta.apache.org>
>>> To: Jakarta Commons <commons-user@jakarta.apache.org>
>>> From: Dennis Crall <dennis-crall@uiowa.edu>
>>> Subject: [HttpClient] Unsigned Certificates &  
>>> EasySSLProtocolSocketFactory
>>> Date: Tue, 11 May 2004 09:44:32 -0500
>>>
>>>
>>> Hi,
>>>
>>> I'm having problems getting HttpClient to work with unsigned
>>> certificates over https. Using HttpClient right out of the box, I get
>>> the following exception:
>>>
>>> 	javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: No trusted certificate  
>>> found
>>>
>>> So I looked at the documentation a bit more carefully and discovered
>>> EasySSLProtocolSocketFactory. This class apparently solves my problem,
>>> but I can not get it to compile. Nor can I get EasyX509TrustManager to
>>> compile. Strangely enough the compiler is telling me that certain
>>> classes in HttpClient do not exist. Specifically, the following five
>>> lines:
>>>
>>> import org.apache.commons.httpclient.ConnectTimeoutException;
>>> import org.apache.commons.httpclient.HttpClientError;
>>> import org.apache.commons.httpclient.params.HttpConnectionParams;
>>> import
>>> org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
>>> import org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>>>
>>> And this is from within a project where I can build the
>>> HttpClientTutorial with no problem. So I guess my questions are:
>>>
>>> 1.) Is there anywhere I can download a jar of the
>>> org.apache.commons.httpclient.contrib.ssl package?
>>>
>>> 2.) Is there an obvious reason why the compiler is not seeing the
>>> classes listed above? Is EasySSLProtocolSocketFactory compatible with
>>> HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3 and
>>> Java 1.4.1.
>>>
>>> Any advice is appreciated,
>>>
>>> Dennis Crall
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message