hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: attempt at implementing "commons-ssl"
Date Thu, 04 May 2006 08:18:19 GMT
On Wed, 2006-05-03 at 17:25 -0700, Julius Davies wrote:
> Hi, Httpclient,
> 
> My employer (Credit Union Central of British Columbia) has given me
> permission to donate some code to Apache.  This code comes from my
> earlier attempt on this list to get HTTPClient to accept self-signed
> certificates.
> 
> Here's the code:
> http://juliusdavies.ca/commons-ssl/
> 
> 

Hi Julius,

Starting a whole new project within Jakarta Commons is a difficult
proposition. You will have submit a formal sub-project proposal for
consideration and that involves a lot of work and certain preconditions.
Please refer to the Jakarta Subproject Proposals [1] for details

If you do not mind donating just certain pieces rather than the whole
thing, I am sure we can find home for most of those classes within
HttpComponents (proper or contrib)

Cheers,

Oleg

[1] http://jakarta.apache.org/site/newproject.html



> The way it works looks like this:
> 
> SSLClient client = new SSLClient();
> client.addTrustMaterial( TrustMaterial.CACERTS );
> client.addTrustMaterial( new TrustMaterial( "/path/to/cert.pem" ) );
> SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 );
> 
> I put in a createSocket() that takes a timeout integer value to make
> your life easier.
> 
> I've put in a "ping" utility I'm finding very handy.  It writes "HEAD /
> HTTP/1.1" on a socket and then spits out any errors, including
> certificate chains (in Base64 PEM format).  It's the default class in
> the manifest, so all you need to use it is run:
> 
> java -jar commons-ssl.jar
> 
> Here's what it spits out if you don't specify any options:
> 
> ==============================================================
> Usage:  java -jar commons-ssl.jar [options]
> Options:   (*=required)
> *  -t  --target           [hostname[:port]]             default port=443
>    -b  --bind             [hostname[:port]]             default port=0 "ANY"
>    -c  --client-cert      [path to client certificate]  *.jks or *.pfx
>    -p  --password         [client cert password]
> 
> Example:
> 
> java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt`
> ==============================================================
> 
> Here's what it spits out after a successful run:
> 
> $ java -jar commons-ssl.jar  -t www.cucbc.com
> 
> Writing:
> ================================================================================
> HEAD / HTTP/1.1
> Host: www.cucbc.com
> 
> Reading:
> ================================================================================
> HTTP/1.1 200 OK
> Date: Thu, 04 May 2006 00:22:27 GMT
> Server: Apache/2.0.46 (Red Hat)
> Accept-Ranges: bytes
> Connection: close
> Content-Type: text/html; charset=UTF-8
> 
> Server Certificate for: [www.cucbc.com/64.114.5.46:443]
> ================================================================================
> s.0: CN=www.cucbc.com, O=Credit Union Central of British Columbia, L=Vancouver, ST=British
Columbia, C=CA
> i.0: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification
Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
> -----BEGIN CERTIFICATE-----
> MIIDdjCCAt+gAwIBAgIDIhV6MA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJa
> QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
> BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
> aW9uIFNlcnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBT
> ZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5j
> b20wHhcNMDUxMTEwMTkxMzE3WhcNMDYxMTEwMTkxMzE3WjCBhzELMAkGA1UEBhMC
> Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
> cjExMC8GA1UEChMoQ3JlZGl0IFVuaW9uIENlbnRyYWwgb2YgQnJpdGlzaCBDb2x1
> bWJpYTEWMBQGA1UEAxMNd3d3LmN1Y2JjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
> jQAwgYkCgYEAr6PzKwELErUMueWqE7c+BDw9Cp2zNyivHmLWKpL/82xQCq+VG6Nx
> OFVpg7rLMMgkbabFD5F8bC63ALaURfxtggWBOCpaHhr78F25rolWPRfpaGtjXeMk
> Of3t/LeGImdljAqetHft51i6SE1EKxD8du9eTN7wNI7Sj8olgHY2MgkCAwEAAaOB
> pjCBozAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1
> oDOgMYYvaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJD
> QS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50
> aGF3dGUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAl0DrUmw2
> 2+ua2oh1mpxcqOlHAhW3DJvHd2dXYrEYivd0cJ1mFJahfGDfbM2VuFkKgTgKF3Wu
> /fzH8AERAuYz80WGifvXk3U3CgxOT0Cuv2MzaNMUuNw76iZmNjD9Rfh3flA+HWZj
> kkpeS0oIu2QDgK1tN3TAfGWMaU9p50r5W9E=
> -----END CERTIFICATE-----
> 
> It even prints out the certificates if the SSL handshake fails, so that
> can be very handy when you've got miscreant client certificates or typos
> in your truststores!
> 
> If you would like to read the code, or try playing with it, please check
> out this URL:
> 
> http://juliusdavies.ca/commons-ssl/
> 
> Unfortunately I haven't included a build script yet, but just going into
> the "org/apache/commons/ssl" directory and typing "javac *.java" does
> the trick.  There are no dependencies at this time (for now I've stolen
> Base64.java from commons-codec!).
> 
> 
> What should I do to try and get a new "commons-ssl" project started?  If
> this code is accepted, I would like to bring HTTPClient's "contrib-ssl"
> into the HTTPClient 4.0 branch, and depend on "commons-ssl".
> 
> Sorry if I'm a little breathless.  I'm pretty excited.
> 
> 
> 
> yours,
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message