hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Lightbody <patr...@lightbody.net>
Subject SSL Problems
Date Mon, 22 Aug 2011 21:24:22 GMT
I have the code below, which results in this exception:

Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)

What's weird is that this code works for almost all URLs (try https://fidelity.com, for example)
but a few do not work. We've narrowed it down to this simple change in Apache:

# Works
SSLProtocol -ALL +SSLv3 +TLSv1

# Doesn't work
SSLProtocol -ALL +SSLv3

Any idea how I could support these kinds of SSL setups while still supporting all other major
sites (fidelity.com, twitter.com, etc). My goal is pretty much just to accept all SSL certs
and my TrustingSSLSocketFactory gets me 99% there, but I'd like to be 100% there. Any tips?



String url = "https://www.razoo.com/login";

HttpParams params = new BasicHttpParams();

SchemeRegistry schemeRegistry = new SchemeRegistry();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory();
schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
schemeRegistry.register(new Scheme("http", new PlainSocketFactory(), 80));

DefaultHttpClient client = new DefaultHttpClient(new SingleClientConnManager(params, schemeRegistry),
HttpGet get = new HttpGet(url);
HttpResponse resp = client.execute(get);



public class TrustingSSLSocketFactory extends SSLSocketFactory {
    private static SSLContext sslContext;

    public TrustingSSLSocketFactory() {

    static {
        try {
            sslContext = SSLContext.getInstance("SSLv3");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Algorithm not found! Critical SSL error!", e);
        TrustManager easyTrustManager = new X509TrustManager() {
            public void checkClientTrusted(
                    X509Certificate[] chain,
                    String authType) throws CertificateException {
                // Oh, I am easy!

            public void checkServerTrusted(
                    X509Certificate[] chain,
                    String authType) throws CertificateException {
                // Oh, I am easy!

            public X509Certificate[] getAcceptedIssuers() {
                return null;

        try {
            sslContext.init(null, new TrustManager[]{easyTrustManager}, null);
        } catch (KeyManagementException e) {
            throw new RuntimeException("Unexpected key management error", e);

    public Socket createSocket() throws IOException {
        SSLSocket socket = (SSLSocket) super.createSocket();
        socket.setEnabledProtocols(new String[] {"SSLv3", "TLSv1"});

        return socket;


To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message