hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brad O'Hearne <br...@neurofire.com>
Subject HttpClient, SSL, and keystores
Date Wed, 28 Jan 2004 15:14:03 GMT
Hey all,

I am experiencing very strange behavior using HttpClient over SSL, and 
I wondered if someone could enlighten me as to how it works.

Basically, I have a small app that uses HttpClient to contact a web 
server over https.  What the app does is unimportant, but I have been 
playing around with SSL and keystore / certs, and am fairly confused.  
Here is what I've discovered:

On windows clients, running J2SDK 1.4.2_03:
1. Without specifying anything about the keystore at all, and without 
importing any certs into the default keystore, the app can talk over 
SSL without a problem.
2. Override the default keystore, 
(-Djavax.net.ssl.keyStore=<keystore_file>) and the app works, provided 
that the keystore file exists.  However, the keystore can be completely 
empty and still work, and after running the app, the keystore is still 
completely empty -- no entries.
3. Override the default keystore, 
(-Djavax.net.ssl.keyStore=<keystore_file>) and the app will fail if the 
keystore file does not exist.  That seems really strange in the wake of 
the behavior in 2, seeing that the keystore is apparently unused.

On windows clients, running J2SDK 1.4.1.x
1. SSL doesn't work.  I have a suspicion that this is due to the 
Verisign Class 2 and 3 CA certs expiring on jan 7, 2004.

On Mac OS X, running apple's VM 1.4.1.x
1. SSL doesn't work.  I manually installed the new Verisign certs 
mentioned earlier, but SSL still didn't work.  So I then manually 
imported the server cert for the site in question, and added this line 
(-Djavax.net.ssl.trustStore=<keystore_file>) where the keystore file 
was the keystore containing the server cert.  This worked.  ???

The results of this testing has put me into a state of confusion 
regarding what httpclient's relationship is to the Java keystore.  It 
appears not to need the keystore at all in my windows tests, but on the 
mac, it appears to depend on it.  Can someone clarify how HttpClient 
works with respect to SSL, CA certs, server certs, and keystores?

Thanks so much 

To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

View raw message