hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: attempt at implementing "commons-ssl"
Date Thu, 04 May 2006 09:17:49 GMT
On Thu, 2006-05-04 at 11:00 +0200, Ortwin Gl├╝ck wrote:
> Julius,
> 
> This looks like a great contribution to HttpComponents HttpConn. Thank 
> you and your employer very much! I like the simple API.
> 
> Oleg, this is not a whole project. 

I thought that is what Julius would prefer. Otherwise, I am sure we can
incorporate most of this code into HttpComponents

Oleg


> It is merely some utility classes for 
> which we can easily find a home. No need to start a new subproject or 
> even the incubator.
> 
> First thing will be to analyze the code base, put the classes in a 
> meaningful SVN / package structure, eliminate the Base64 copy, then 
> write up API Doc.
> 
> my CHF 0.05
> 
> Odi
> 
> Julius Davies wrote:
> > Hi, Httpclient,
> > 
> > My employer (Credit Union Central of British Columbia) has given me
> > permission to donate some code to Apache.  This code comes from my
> > earlier attempt on this list to get HTTPClient to accept self-signed
> > certificates.
> > 
> > Here's the code:
> > http://juliusdavies.ca/commons-ssl/
> > 
> > 
> > The way it works looks like this:
> > 
> > SSLClient client = new SSLClient();
> > client.addTrustMaterial( TrustMaterial.CACERTS );
> > client.addTrustMaterial( new TrustMaterial( "/path/to/cert.pem" ) );
> > SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 );
> > 
> > I put in a createSocket() that takes a timeout integer value to make
> > your life easier.
> > 
> > I've put in a "ping" utility I'm finding very handy.  It writes "HEAD /
> > HTTP/1.1" on a socket and then spits out any errors, including
> > certificate chains (in Base64 PEM format).  It's the default class in
> > the manifest, so all you need to use it is run:
> > 
> > java -jar commons-ssl.jar
> > 
> > Here's what it spits out if you don't specify any options:
> > 
> > ==============================================================
> > Usage:  java -jar commons-ssl.jar [options]
> > Options:   (*=required)
> > *  -t  --target           [hostname[:port]]             default port=443
> >    -b  --bind             [hostname[:port]]             default port=0 "ANY"
> >    -c  --client-cert      [path to client certificate]  *.jks or *.pfx
> >    -p  --password         [client cert password]
> > 
> > Example:
> > 
> > java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt`
> > ==============================================================
> > 
> > Here's what it spits out after a successful run:
> > 
> > $ java -jar commons-ssl.jar  -t www.cucbc.com
> > 
> > Writing:
> > ================================================================================
> > HEAD / HTTP/1.1
> > Host: www.cucbc.com
> > 
> > Reading:
> > ================================================================================
> > HTTP/1.1 200 OK
> > Date: Thu, 04 May 2006 00:22:27 GMT
> > Server: Apache/2.0.46 (Red Hat)
> > Accept-Ranges: bytes
> > Connection: close
> > Content-Type: text/html; charset=UTF-8
> > 
> > Server Certificate for: [www.cucbc.com/64.114.5.46:443]
> > ================================================================================
> > s.0: CN=www.cucbc.com, O=Credit Union Central of British Columbia, L=Vancouver,
ST=British Columbia, C=CA
> > i.0: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification
Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
> > -----BEGIN CERTIFICATE-----
> > MIIDdjCCAt+gAwIBAgIDIhV6MA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJa
> > QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
> > BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
> > aW9uIFNlcnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBT
> > ZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5j
> > b20wHhcNMDUxMTEwMTkxMzE3WhcNMDYxMTEwMTkxMzE3WjCBhzELMAkGA1UEBhMC
> > Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
> > cjExMC8GA1UEChMoQ3JlZGl0IFVuaW9uIENlbnRyYWwgb2YgQnJpdGlzaCBDb2x1
> > bWJpYTEWMBQGA1UEAxMNd3d3LmN1Y2JjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
> > jQAwgYkCgYEAr6PzKwELErUMueWqE7c+BDw9Cp2zNyivHmLWKpL/82xQCq+VG6Nx
> > OFVpg7rLMMgkbabFD5F8bC63ALaURfxtggWBOCpaHhr78F25rolWPRfpaGtjXeMk
> > Of3t/LeGImdljAqetHft51i6SE1EKxD8du9eTN7wNI7Sj8olgHY2MgkCAwEAAaOB
> > pjCBozAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1
> > oDOgMYYvaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJD
> > QS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50
> > aGF3dGUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAl0DrUmw2
> > 2+ua2oh1mpxcqOlHAhW3DJvHd2dXYrEYivd0cJ1mFJahfGDfbM2VuFkKgTgKF3Wu
> > /fzH8AERAuYz80WGifvXk3U3CgxOT0Cuv2MzaNMUuNw76iZmNjD9Rfh3flA+HWZj
> > kkpeS0oIu2QDgK1tN3TAfGWMaU9p50r5W9E=
> > -----END CERTIFICATE-----
> > 
> > It even prints out the certificates if the SSL handshake fails, so that
> > can be very handy when you've got miscreant client certificates or typos
> > in your truststores!
> > 
> > If you would like to read the code, or try playing with it, please check
> > out this URL:
> > 
> > http://juliusdavies.ca/commons-ssl/
> > 
> > Unfortunately I haven't included a build script yet, but just going into
> > the "org/apache/commons/ssl" directory and typing "javac *.java" does
> > the trick.  There are no dependencies at this time (for now I've stolen
> > Base64.java from commons-codec!).
> > 
> > 
> > What should I do to try and get a new "commons-ssl" project started?  If
> > this code is accepted, I would like to bring HTTPClient's "contrib-ssl"
> > into the HTTPClient 4.0 branch, and depend on "commons-ssl".
> > 
> > Sorry if I'm a little breathless.  I'm pretty excited.
> > 
> > 
> > 
> > yours,
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message