hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Johnson <sjohn...@mercury.com>
Subject RE: client side cert issue, maybe. HTTPClient version 2
Date Mon, 20 Dec 2004 19:32:31 GMT
Hi All,

Does anyone have a test client side cert (.pfx) with password that I
could use from HttpClient to see a good request? Has anyone gotten a
response body from this type of cert.

I believe the cert has a public and a private key in the cert.


https://primeview.csfb.com/html
The response we get is the same as requesting this URL in a browser(IE or Mozilla) without
the client side
cert. This cert works for both IE and Mozilla with the cert password.

It appears that we are getting the client side cert passed in for SSL.
Here is the code for loading the keystore:

    protected static KeyStore loadKeystore(String keystorePath, String keystorePassword) {
        KeyStore keyStore;
        try {
            if (!new File(keystorePath).exists()) {
                throw new Exception("certificate file not found by SiteScope");
            }

            if (keystorePath.endsWith(".pfx")) {
                keyStore = KeyStore.getInstance("PKCS12");
            } else {
                keyStore = KeyStore.getInstance("JKS");
            }

            FileInputStream keystoreFile = new FileInputStream(keystorePath);

            char[] passphrase = keystorePassword.toCharArray();
            keyStore.load(keystoreFile, passphrase);
        } catch (Exception e) {
            keyStore = null;
            LogManager.log("Error", "Failed to load keystore '" + keystorePath +
                    "', exception: " + e.getMessage());
        }

        return keyStore;
    }

THIS URL DOES A REDIRECT AND THEN AUTHENTICATES ON THE REDIRECT URL AND WRITES THE REQUEST
HEADERS, THEN FAILS
TO GET THE RESPONSE HEADERS.
WE CAN WRITE ON THE SOCKET, BUT NOT READ.

URL: https://primeview.csfb.com/html(TEST.1/6) , WRITE: SSLv3 Application Data, length = 313
2004/12/20 12:13:46:857 GMT-07:00 [DEBUG] wire - ->> "[\r][\n]"
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.flushRequestOutputStream()
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readResponse(HttpState,
HttpConnection)
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readStatusLine(HttpState,
HttpConnection)
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.readLine()
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readLine()
2004/12/20 12:13:46:857 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readRawLine()
URL: https://primeview.csfb.com/html(TEST.1/6) , READ: SSLv3 Handshake, length = 20
*** HelloRequest (empty)
%% Client cached [Session-7, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-7, SSL_RSA_WITH_RC4_128_MD5] from port 1695
*** ClientHello, SSLv3


Thanks for your time and helpful information,



Steve Johnson, Software Engineer, sjohnson@mercury.com
direct 720.564.6532 
www.mercury.com 

 
 
www.mercury.com 

-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org] 
Sent: Wednesday, December 15, 2004 7:03 AM
To: HttpClient Project
Cc: Steve Johnson
Subject: Re: client side cert issue, maybe. HTTPClient version 2

Hi Steve,

Just a few comments on the problem you have been experiencing

(1) If you ever get a valid HTTP status code it means that the
underlying transport layer is completely OK. Had it been an SSL related
problem you would have gotten an SSLException, not a status code 403

(2) InputStream#available is completely meaningless for the SSLSockets.
I believe Sun does not even guarantee an adequate performance of this
method for plain sockets. The only way to tell if there's data to be
read is actually by performing a socket read operation. 

(3) Most likely your application needs to perform HTTP authentication in
addition to SSL authentication. Apparently there's no such thing as too
much security.

Hope this helps somewhat

Cheers,

Oleg


On Tue, Dec 14, 2004 at 01:46:31PM -0800, Steve Johnson wrote:
> Hi All,
> 
>  
> 
> HTTPClient version 2
> 
>  
> 
> Wondering if anyone has seen something like this. I realize it could have many causes.
> 
> URL is client side cert; we get connected and receive a 302 redirect page from server.
> 
> We send the request for the next page, see Wire debug below.
> 
> I run socket.available(), it returns 0 bytes avaibable.
> 
> Then the socket reestablished the SSL credentials. 
> 
> When the page is read we get a 403 Forbidden from the server.
> 
>  
> 
> WE WRITE REQUEST AND GET 302 WITH NO BREAK ON THE CONNECTION
> 
>
--------------------------------------------------------------------------------------------------------------
> ---------
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.flushRequestOutputStream()
> 
> HTTPRequest /SiteScope/cgi/go.exe/SiteScope, WRITE: SSLv3 Application Data, length =
162
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [DEBUG] wire - ->> "[\r][\n]"
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.flushRequestOutputStream()
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readResponse(HttpState,
> HttpConnection)
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readStatusLine(HttpState,
> HttpConnection)
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.readLine()
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readLine()
> 
> 2004/12/14 14:15:54:437 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readRawLine()
> 
> HTTPRequest /SiteScope/cgi/go.exe/SiteScope, READ: SSLv3 Application Data, length = 368
> 
> 2004/12/14 14:15:54:516 GMT-07:00 [DEBUG] wire - -<< "HTTP/1.1 302 Moved Temporarily[\r][\n]"
> 
> 2004/12/14 14:15:54:516 GMT-07:00 [TRACE] HttpMethodBase - -enter
> HttpMethodBase.readResponseHeaders(HttpState,HttpConnection)
> 
>  
> 
>  
> 
> WE WRITE NEXT REQUEST AND THERE ARE 0 BYTES TO READ, SSL STUFF HAPPENS, THEN A 403 FROM
SERVER.
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.flushRequestOutputStream()
> 
> HTTPRequest /SiteScope/cgi/go.exe/SiteScope, WRITE: SSLv3 Application Data, length =
319
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [DEBUG] wire - ->> "[\r][\n]"
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.flushRequestOutputStream()
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readResponse(HttpState,
> HttpConnection)
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpMethodBase - -enter HttpMethodBase.readStatusLine(HttpState,
> HttpConnection)
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpConnection - -enter HttpConnection.readLine()
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readLine()
> 
> 2004/12/14 14:15:58:015 GMT-07:00 [TRACE] HttpParser - -enter HttpParser.readRawLine()
> 
> HTTPRequest /SiteScope/cgi/go.exe/SiteScope, READ: SSLv3 Handshake, length = 20
> 
> *** HelloRequest (empty)
> 
> %% Client cached [Session-2, SSL_RSA_WITH_RC4_128_MD5]
> 
> %% Try resuming [Session-2, SSL_RSA_WITH_RC4_128_MD5] from port 2006
> 
> *** ClientHello, SSLv3
> 
>  
> 
> 403 PAGE AFTER THIS:
> 
>  
> 
> any ideas? Suggestions?
> 
> Thanks,
> 
>  
> 
> Steve Johnson, Software Engineer, sjohnson@mercury.com
> 
> direct 720.564.6532 
> 
> www.mercury.com <http://www.mercury.com/>  
> 
>  <http://www.mercury.com/> 
> 
>  <http://www.mercury.com/>  
> 
>  
> 
>  
> 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message