hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Lightbody <patr...@lightbody.net>
Subject SSL Problems
Date Mon, 22 Aug 2011 21:24:22 GMT
I have the code below, which results in this exception:

Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)

What's weird is that this code works for almost all URLs (try https://fidelity.com, for example)
but a few do not work. We've narrowed it down to this simple change in Apache:

# Works
SSLProtocol -ALL +SSLv3 +TLSv1

# Doesn't work
SSLProtocol -ALL +SSLv3

Any idea how I could support these kinds of SSL setups while still supporting all other major
sites (fidelity.com, twitter.com, etc). My goal is pretty much just to accept all SSL certs
and my TrustingSSLSocketFactory gets me 99% there, but I'd like to be 100% there. Any tips?

Patrick

====================

String url = "https://www.razoo.com/login";

HttpParams params = new BasicHttpParams();

SchemeRegistry schemeRegistry = new SchemeRegistry();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory();
sslSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
schemeRegistry.register(new Scheme("http", new PlainSocketFactory(), 80));

DefaultHttpClient client = new DefaultHttpClient(new SingleClientConnManager(params, schemeRegistry),
params);
HttpGet get = new HttpGet(url);
HttpResponse resp = client.execute(get);

System.out.println(resp.getStatusLine().getStatusCode());

====================

public class TrustingSSLSocketFactory extends SSLSocketFactory {
    private static SSLContext sslContext;

    public TrustingSSLSocketFactory() {
        super(sslContext);
    }

    static {
        try {
            sslContext = SSLContext.getInstance("SSLv3");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Algorithm not found! Critical SSL error!", e);
        }
        
        TrustManager easyTrustManager = new X509TrustManager() {
            @Override
            public void checkClientTrusted(
                    X509Certificate[] chain,
                    String authType) throws CertificateException {
                // Oh, I am easy!
            }

            @Override
            public void checkServerTrusted(
                    X509Certificate[] chain,
                    String authType) throws CertificateException {
                // Oh, I am easy!
            }

            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

        };
        try {
            sslContext.init(null, new TrustManager[]{easyTrustManager}, null);
        } catch (KeyManagementException e) {
            throw new RuntimeException("Unexpected key management error", e);
        }
    }

    @Override
    public Socket createSocket() throws IOException {
        SSLSocket socket = (SSLSocket) super.createSocket();
        socket.setEnabledProtocols(new String[] {"SSLv3", "TLSv1"});

        return socket;
    }
}

====================




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message