commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Crall <dennis-cr...@uiowa.edu>
Subject Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Date Tue, 11 May 2004 18:12:16 GMT
Oleg,

It turns out I was missing a step and EasySSLSocketFactory was not  
being called at all. Everything worked perfectly once I added the  
following line to my code:

Protocol.registerProtocol( "https", easyhttps );

And just for the archive, here is what my final code looks like. It  
would be nice if the sample code also showed the registerProtocol()  
step.

		Protocol easyhttps = new Protocol( "https", new  
EasySSLProtocolSocketFactory(), 443 );
		Protocol.registerProtocol( "https", easyhttps );
		HttpClient client = new HttpClient();
		client.getHostConfiguration().setHost("remote.host", 443, easyhttps);
		HttpMethod method = new GetMethod( fullURL );

And thanks once again for your help. It was invaluable. Also,  
HttpClient is wonderful.

Regards,

Dennis

On May 11, 2004, at 11:19 AM, olegk@bluewin.ch wrote:

> Dennis
>
>> sun.security.validator.ValidatorException: No trusted certificate  
>> found
>
> As you can see from the error message above, the verification of the  
> certificate
> chain has been delegated to the standard Sun's certificate validator,  
> which
> does not quite like 'home-made' certificates.
>
> EasyX509TrustManager and EasySSLProtocolSocketFactory classes have  
> never
> been intended for use without adjustments to specific requirements of  
> individual
> applications. That's why these classes are not part of the standard  
> HttpClient
> library in the first place
>
> In its stock implementation EasyX509TrustManager checks the length of  
> the
> certificate chain. If the certificate chain consists of more than one  
> certificate,
> the EasyX509TrustManager passes control to the standard trust manager  
> and
> washes the hands. See code below
>
>     /**
>      * @see  
> com.sun.net.ssl.X509TrustManager#isServerTrusted(X509Certificate[])
>      */
>     public boolean isServerTrusted(X509Certificate[] certificates) {
>         if ((certificates != null) && LOG.isDebugEnabled()) {
>             LOG.debug("Server certificate chain:");
>             for (int i = 0; i < certificates.length; i++) {
>                 LOG.debug("X509Certificate[" + i + "]=" +  
> certificates[i]);
>             }
>         }
>         if ((certificates != null) && (certificates.length == 1)) {
>             X509Certificate certificate = certificates[0];
>             try {
>                 certificate.checkValidity();
>             }
>             catch (CertificateException e) {
>                 LOG.error(e.toString());
>                 return false;
>             }
>             return true;
>         } else {
>             return  
> this.standardTrustManager.isServerTrusted(certificates);
>         }
>     }
>
> Apparently the target server uses a little more complicated setup than  
> a
> trivial self-signed certificate. You should carefully analyze the  
> security
> requirements of your application and modify the EasyX509TrustManager  
> to meet
> your specific needs (for instance, by ensuring that all the  
> certificate in
> the certificate chain are trusted, that is, signed by a trusted CA).  
> In the
> most extreme case if you really do not care about SSL authentication  
> you
> may choose to trust all certificates by making isServerTrusted always  
> return
> <tt>true</tt>.
>
> Hope this helps
>
> Oleg
>
>
>
>> -- Original Message --
>> Reply-To: "Jakarta Commons Users List"  
>> <commons-user@jakarta.apache.org>
>> From: Dennis Crall <dennis-crall@uiowa.edu>
>> Subject: Re: [HttpClient] Unsigned Certificates &  
>> EasySSLProtocolSocketFactory
>> Date: Tue, 11 May 2004 10:52:30 -0500
>> To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
>>
>>
>>
>> Oleg,
>>
>> Thank you very much. I now have EasySSLProtocolSocketFactory  
>> compiling.
>
>>
>> However, I am still getting the same exception:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: No trusted certificate  
>> found
>>
>> The code I'm using is as follows. The instructions seemed pretty
>> straightforward. Do you see anything wrong? (The server I'm connecting
>
>> to is using port 444).
>>
>> Protocol easyhttps = new Protocol( "https", new
>> EasySSLProtocolSocketFactory(), 444 );
>> HttpClient client = new HttpClient();
>> client.getHostConfiguration().setHost("remote.host", 444, easyhttps);
>> HttpMethod method = new GetMethod( fullURL );
>>
>> Thank you for your help,
>>
>> Dennis
>>
>>
>>
>> On May 11, 2004, at 9:55 AM, olegk@bluewin.ch wrote:
>>
>>> Dennis
>>>
>>> There are two branches of HttpClient: 2.0 (stable) and development
>>> (unstable,
>>> which will eventually become 3.0). The SSL guide unfortunately points
>
>>
>>> at
>>> the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I
>>> was long
>>> going to fix the problem but there had always been more pressing
>>> issues I
>>> needed to turn my attention to. I'll do my (very) best to fix the SSL
>
>>
>>> guide
>>> tonight. Meanwhile use the link below to get the 2.0 version of the
>>> easy
>>> SSL protocol factory:
>>>
>>> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/
>>> contrib/org/apache/commons/httpclient/contrib/ssl/?
>>> only_with_tag=HTTPCLIENT_2_0_BRANCH
>>>
>>> Oleg
>>>
>>>
>>>> -- Original Message --
>>>> Reply-To: "Jakarta Commons Users List"
>>>> <commons-user@jakarta.apache.org>
>>>> To: Jakarta Commons <commons-user@jakarta.apache.org>
>>>> From: Dennis Crall <dennis-crall@uiowa.edu>
>>>> Subject: [HttpClient] Unsigned Certificates &
>>>> EasySSLProtocolSocketFactory
>>>> Date: Tue, 11 May 2004 09:44:32 -0500
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I'm having problems getting HttpClient to work with unsigned
>>>> certificates over https. Using HttpClient right out of the box, I  
>>>> get
>>>> the following exception:
>>>>
>>>> 	javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: No trusted certificate
>>>> found
>>>>
>>>> So I looked at the documentation a bit more carefully and discovered
>>>> EasySSLProtocolSocketFactory. This class apparently solves my  
>>>> problem,
>>>> but I can not get it to compile. Nor can I get EasyX509TrustManager  
>>>> to
>>>> compile. Strangely enough the compiler is telling me that certain
>>>> classes in HttpClient do not exist. Specifically, the following five
>>>> lines:
>>>>
>>>> import org.apache.commons.httpclient.ConnectTimeoutException;
>>>> import org.apache.commons.httpclient.HttpClientError;
>>>> import org.apache.commons.httpclient.params.HttpConnectionParams;
>>>> import
>>>> org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory 
>>>> ;
>>>> import  
>>>> org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>>>>
>>>> And this is from within a project where I can build the
>>>> HttpClientTutorial with no problem. So I guess my questions are:
>>>>
>>>> 1.) Is there anywhere I can download a jar of the
>>>> org.apache.commons.httpclient.contrib.ssl package?
>>>>
>>>> 2.) Is there an obvious reason why the compiler is not seeing the
>>>> classes listed above? Is EasySSLProtocolSocketFactory compatible  
>>>> with
>>>> HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3  
>>>> and
>>>> Java 1.4.1.
>>>>
>>>> Any advice is appreciated,
>>>>
>>>> Dennis Crall
>>>>
>>>>
>>>> -------------------------------------------------------------------- 
>>>> -
>>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>>> For additional commands, e-mail:  
>>>> commons-user-help@jakarta.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message