Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F2587EB26 for ; Sat, 16 Feb 2013 22:07:23 +0000 (UTC) Received: (qmail 3850 invoked by uid 500); 16 Feb 2013 22:07:23 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 3818 invoked by uid 500); 16 Feb 2013 22:07:23 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 3810 invoked by uid 99); 16 Feb 2013 22:07:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Feb 2013 22:07:23 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [217.150.250.48] (HELO kalnich.nine.ch) (217.150.250.48) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Feb 2013 22:07:17 +0000 Received: from [192.168.1.121] (77-57-197-206.dclient.hispeed.ch [77.57.197.206]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by kalnich.nine.ch (Postfix) with ESMTPSA id CFA12B80179 for ; Sat, 16 Feb 2013 23:06:55 +0100 (CET) Message-ID: <1361052414.19031.22.camel@ubuntu> Subject: Re: httpclient v4.2.1 and client certificates From: Oleg Kalnichevski To: HttpComponents Project Date: Sat, 16 Feb 2013 23:06:54 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.2-0ubuntu0.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Sat, 2013-02-16 at 23:35 +0200, Graham Leggett wrote: > On 16 Feb 2013, at 9:42 PM, Graham Leggett wrote: > > > I am currently struggling with a problem attempting to use a client certificate to connect to a secure website using httpclient v4.2.1. > > > > When SSL debugging is enabled, I can see that despite the following -D options being passed, the keyStore is completely ignored: > > > > -Djavax.net.ssl.trustStore=/path/to/cacerts -Djavax.net.ssl.keyStore=/path/to/certificate.p12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStoreType=PKCS12 > > > > The file /path/to/cacerts is read correctly, and the trust chain of the remote server is correctly verified. > > > > The file /path/to/certificate.p12 is completely ignored, and the remote server rejects the connection claiming (correctly) that the certificate is missing. > > > > Can anyone confirm whether a bug exists with httpclient and the ability to specify a client certificate? All the docs I've read to date suggest that httpdclient reads javax.net.ssl.keyStore, but the behaviour I am seeing would suggest this is broken. > > Some digging through the source has revealed the problem. > > It appears there are two classes that instantiate an HTTP connection, DefaultHttpClient and SystemDefaultHttpClient. Despite both claiming to be "default" behaviour, the real default behaviour is given by SystemDefaultHttpClient, which respects the -D parameters. > > DefaultHttpClient gives you semi-non-default behaviour. In this code the javax.net.ssl.keyStore parameter is ignored, but javax.net.ssl.trustStore is respected. I am assuming that the idea is that the caller would set the certs themselves rather than rely on system wide defaults, using the various constructors for SSLSocketFactory. > > Regards, > Graham > -- > Graham Historically HttpClient does not take any system properties into account by default given that it some managed environments access to system properties is restricted. The semi-non-default behaviour is what you get when creating an SSL context without any explicit trust / key material. Generally the users of HttpClient are expected to supply an SSL context, which is appropriate for their specific applications rather than HttpClient trying to figure out some sensible defaults in various contexts. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org