hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kalnichevski, Oleg" <oleg.kalnichev...@bearingpoint.com>
Subject RE: Re: Help on client authentication
Date Fri, 30 May 2003 11:56:08 GMT
Patrick,

I think it should be relatively easy to test whether the issue is in fact caused by HttpClient.
Just use your socket factory to instantiate a socket and try executing a simple HTTP GET request
using raw i/o streams. If you succeed in getting that work, it would clearly indicate a problem
with HttpClient. However, if the opposite is the case, you should be looking for a problem
in your SSL setup

Oleg

-----Original Message-----
From: Patrick Cardinal [mailto:cardinallay@rediffmail.com]
Sent: Friday, May 30, 2003 07:44
To: Commons HttpClient Project
Subject: Re: Re: Help on client authentication


Sorry for the delay. Typically in an SSL transaction the client 
wants to authenticate the server (validating server certificates). 
However in the case of mutual client authentication the server 
also authenticates the client (using client certificates) in 
addition to the client authenticating the server .  Checkout 
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html 
and 
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/samples/sockets/client/SSLSocketClientWithClientAuth.java

  for more info on this.

My problem relates to a SocketException when I run a custom ssl 
socket factory with client authentication.

In a previous release of http client, the HttpClient class had a 
setSSLSocketFactory method. So we used to be able to create a 
custom SSLSocketFactory that supported client Authentication and 
set it to be used with an instance HttpClient class.  Something 
like->


HttpClient hc = new HttpClient();
try
{
         SSLContext ctx;
         KeyManagerFactory kmf;
         KeyStore ks;
         char[] passphrase = "passphrase".toCharArray();

         ctx = SSLContext.getInstance("TLS");
         kmf = KeyManagerFactory.getInstance("SunX509");
         ks = KeyStore.getInstance("JKS");

         ks.load(new FileInputStream("testkeystore"), 
passphrase);

         kmf.init(ks, passphrase);
         ctx.init(kmf.getKeyManagers(), null, null);

         SSLSocketFactory factory = ctx.getSocketFactory();

         hc.setSSLSocketFactory(factory);
}
catch (Exception e)
{
         throw new IOException(e.getMessage());
}

Then use get and PostMethod...

In HttpClient 2.0 beta1, I tried to create a
CustomSocketFactory on similar lines to 
EasySSLProtocolSocketFactory example provided at
http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/

Something like..

class MyFactory implements SecureProtocolSocketFactory
{

        private  javax.net.ssl.SSLSocketFactory factory;

        MyFactory()
        {
                 mFactory = getFactoryWithClientAuth();

        }

        private static SSLSocketFactory 
getFactoryWithClientAuth()
         {

         .......//same way as in Jsse example
        }

     public Socket createSocket(Socket socket,String host,
                                int port,   boolean autoClose)
                 throws IOException,UnknownHostException
         {
                 return mFactory.createSocket( socket, host, 
port,
                                                  autoClose);
        }

// implement the rest of  createSocket Methods similarly as 
above
         .....

}

I then used to post stuff.

"
PostMethod post = new PostMethod(postServerUrl);
post.setRequestBody("Test http client");

post.setRequestHeader("Content-type", "text/plain");

Protocol strictHttps = new Protocol(   "https", new MyFactory(), 
443);

HttpClient client = new HttpClient();

HostConfiguration hostc = new HostConfiguration();
hostc.setHost("ServerUrl",443,strictHttps);

client.executeMethod(hostc,post);
"
When I ran the second example against 2.0 Beta1, the protocol 
interactions in the out seem to be correct,
I saw all the SSL handshake stuff work correctly...
*** ClientHello, v3.1
*** ServerHello, v3.1
*** Certificate chain
*** CertificateRequest
*** ServerHelloDone
*** ClientKeyExchange
*** CertificateVerify
*** Finished, v3.1

except just after the last stage when its about to  the actual 
post I get

*** Finished, v3.1
verify_data:  { 98, 86, 46, 20, 159, 191, 251, 102, 9, 201, 95, 
201 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 62 56 2E 14   9F BF FB 66 09 C9 5F C9  
....bV.....f.._.
Plaintext before ENCRYPTION:  len = 32
0000: 14 00 00 0C 62 56 2E 14   9F BF FB 66 09 C9 5F C9  
....bV.....f.._.
0010: A2 FE 98 4F 4D E1 1B AD   0D 74 DD 5A 44 54 E9 3D  
...OM....t.ZDT.=
main, WRITE:  SSL v3.1 Handshake, length = 32
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.close()
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.closeSockedAndStreams()
main, SEND SSL v3.1 ALERT:  warning, description = close_notify
Plaintext before ENCRYPTION:  len = 18
0000: 01 00 AB 04 44 A2 B3 5D   A4 89 16 62 F8 11 47 D6  
....D..]...b..G.
0010: A6 E4                                              ..
main, WRITE:  SSL v3.1 Alert, length = 18
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.close()
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.closeSockedAndStreams()
java.net.SocketException: Software caused connection abort: 
JVM_recv in socket input stream read
         at java.net.SocketInputStream.socketRead0(Native 
Method)
         at 
java.net.SocketInputStream.read(SocketInputStream.java:116)
         at 
com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
         at 
com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
         at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
         at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
         at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
         at 
org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1347)
         at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
         at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
 
         at 
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:782)
         at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2173)
         at 
org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2528)
         at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1065)
         at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638)
         at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:526)
         at PostXML1.main(PostXML1.java:130)
Exception in thread "main"

This exception occurs only when I wanna do ssl transactions with 
client authentication. Has any one else encountered this problem? 
Just FYI, this didnot  happen in the previous release of 
httpclient.. Any suggestions will be greatly appreciated..

Patrick


On Thu, 29 May 2003 Michael Becke wrote :
>Hello Patrick,
>
>What exactly do you mean by "SSL with mutual client 
>authentication"? Could you provide a simple example of what you 
>are trying and what specifically does not work.  A stack trace 
>and logs would be helpful.
>
>http://jakarta.apache.org/commons/httpclient/logging.html
>
>Mike
>
>Patrick Cardinal wrote:
>>I use httpclient to do SSL. We have been having problems using 
>>the 2.0 beta-1 (even alpha3 ) release of httpclient to do SSL 
>>with mutual client authentication using Keystores and JSSE. This 
>>used to work in a previous release of http client. I need to 
>>upgrade to 2.0 version for a bug fix.
>>
>>Does anyone know if SSL with mutual client authentication has 
>>ever been tested with http client?..
>>
>>Can anyone provide me with sample code to do client 
>>authentication using httpclient in 2.0?
>>
>>Any help will be appreciated on this count...
>>
>>Patrick
>>___________________________________________________
>>Get email that means BUSINESS! me @ mycompany.com.
>>Just Rs.1499/year.
>>To start, click http://www.rediffmailpro.com
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: 
>>commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: 
>>commons-httpclient-dev-help@jakarta.apache.org
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: 
>commons-httpclient-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: 
>commons-httpclient-dev-help@jakarta.apache.org
>

___________________________________________________
Get email that means BUSINESS! me @ mycompany.com.
Just Rs.1499/year.
To start, click http://www.rediffmailpro.com


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message