commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julius Davies <juliusdav...@cucbc.com>
Subject Re: HttpClient getting a ValidatorException
Date Sun, 14 May 2006 01:18:57 GMT
Hi, Randy,

Probably your "https" server is using a self-signed certificate, or a CA
certificate that's not already inside Java's "cacerts" file.  There are
several workarounds I know of:

1.  You can import your server's public certificate into your client's
$JAVA_HOME/jre/lib/security/cacerts file (password is usually
"changeit").

2.  You can use httpclient sample code (under "contrib" in SVN) called
EasySSLProtocolSocketFactory.  It trusts all https servers.  It is
inappropriate for production environments.

3.  You can try using the httpclient sample code (under "contrib" in
SVN) called AuthSSLProtocolSocketFactory.  If you hand it a null client
keystore, but a good trust keystore, this can accomplish your goal.

But #2 and #3 are covered in httpclient's "SSL Guide":

http://jakarta.apache.org/commons/httpclient/sslguide.html

4.  Alternatively you can try using a library I'm working on.  This
library is quite beta, but also solves your problem:

http://juliusdavies.ca/commons-ssl/

In particular take a look at the instructions written out at the top of
my TrustSSLProtocolSocketFactory.java source file (hopefully my email
client doesn't wrap this line and break the link):

http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/httpclient/contrib/ssl/TrustSSLProtocolSocketFactory.java

Also, a command-line tool I developed should help you get your hands on
the https server's public certificate - whether you decide to import it
into cacerts, use AuthSSLProtocolSocketFactory, or use
"commons-ssl.jar".  It works a lot like OpenSSL's "s_client" tool.

java -jar commons-ssl.jar

"Ping" Utility Attempts "HEAD / HTTP/1.1" Request:
This utility is very handy because it can get you the server's public
certificate even if your client certificate is bad (so even though the SSL
handshake fails).  And unlike "openssl s_client", this utility can bind
against any IP address available.

Usage:  java -jar commons-ssl.jar [options]
Options:   (*=required)
*  -t  --target           [hostname[:port]]             default port=443
   -b  --bind             [hostname[:port]]             default port=0 "ANY"
   -r  --proxy            [hostname[:port]]             default port=80
   -c  --client-cert      [path to client certificate]  *.jks or *.pfx
   -p  --password         [client cert password]

Example:

java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt`


Good luck!


yours,

Julius

ps. to apache people:  I'm working with HttpClient to find a home for
this "commons-ssl" code.  I should have these two forms sent in very
soon:

http://www.apache.org/licenses/cla-corporate.txt

http://www.apache.org/licenses/icla.txt



On Sat, 2006-13-05 at 01:45 -0500, Randy Paries wrote:
> hello,
> if i connect to be site via http everything is cool, but if i connect
> using https is get the exception (see below)
> 
> the code snippet i am using is:
> 
> Thanks for any help
> =================================================================
>         HttpClient client = new HttpClient();
>         if ( port == 80){
>             client.getHostConfiguration().setHost(NodeName, 80, "http");
>         }else{
>             client.getHostConfiguration().setHost(NodeName, 443, "https");
>         }
> 
>         PostMethod authpost = new PostMethod(billMaxURL);
>         authpost.setRequestHeader("User-Agent", "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1)");
> 
>         NameValuePair PFORM  = new NameValuePair("FORM", "updateacct");
>         NameValuePair PCIDX     = new NameValuePair("bmui_cidx", "-1");
>         authpost.setRequestBody( new NameValuePair[] {PFORM, PCIDX });
> 
>        client.executeMethod(authpost);
> 
> 
> =================================================================
> 
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:619)
> at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
-- 
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 604-730-6385
Cel: 604-868-7571
Fax: 604-737-5910

1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7

http://juliusdavies.ca/



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message