hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Bley <thomas.b...@simple-groupware.de>
Subject SSL Problems with HttpClient
Date Sat, 02 Jun 2007 22:50:13 GMT
Hello all,

for those who have SSL problems with certificates from e.g. cacert.org:
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target

I used the code from:
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup

But in the code there is (EasyX509TrustManager.java):

if ((certificates != null) && (certificates.length == 1)) {
  certificates[0].checkValidity();
} else {
  standardTrustManager.checkServerTrusted(certificates,authType);
}

If you self-sign the certificate this is ok, but if you use certificates 
from e.g. cacert.org you'll still get errors because there are 2 
certificates to validate, therefore
modify EasyX509TrustManager.java:

if (certificates != null) {
  for (int i=0; i < certificates.length; i++) {
    // System.out.println("Subject: "+certificates[i].getSubjectDN());
    // System.out.println("Issuer: "+certificates[i].getIssuerDN());
    // System.out.println("Not after: "+certificates[i].getNotAfter());
    // System.out.println("Not before: "+certificates[i].getNotBefore());
    certificates[i].checkValidity();
    // System.out.println("----");
  }
} else { // check Java's keystore
  standardTrustManager.checkServerTrusted(certificates,authType);
}


The final code looks similar to this:

  Protocol.registerProtocol("https", new 
Protocol("https",(ProtocolSocketFactory)new 
EasySSLProtocolSocketFactory(), 443));       
  HttpClient client = new HttpClient();
  client.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new 
DefaultHttpMethodRetryHandler(2, true));       
  client.getHttpConnectionManager().getParams().setConnectionTimeout(5000);
  GetMethod get = new GetMethod(url);


Maybe someone can add this to the SSL Guide 
(http://jakarta.apache.org/commons/httpclient/sslguide.html).

Regards,
Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


Mime
View raw message