Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C7D4AEA9E for ; Sat, 16 Feb 2013 21:36:05 +0000 (UTC) Received: (qmail 41380 invoked by uid 500); 16 Feb 2013 21:36:05 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 41350 invoked by uid 500); 16 Feb 2013 21:36:05 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 41341 invoked by uid 99); 16 Feb 2013 21:36:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Feb 2013 21:36:05 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of minfrin@sharp.fm designates 174.143.229.200 as permitted sender) Received: from [174.143.229.200] (HELO chandler.sharp.fm) (174.143.229.200) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Feb 2013 21:35:57 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id 2179B8C8029 for ; Sat, 16 Feb 2013 15:35:36 -0600 (CST) Received: from [192.168.88.249] (pepperpotdsl.claranet.co.uk [217.158.253.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id ACE2D8C8024 for ; Sat, 16 Feb 2013 15:35:35 -0600 (CST) From: Graham Leggett Content-Type: multipart/signed; boundary="Apple-Mail=_4C3D7799-E123-43F4-93EC-7BED10D2C536"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: httpclient v4.2.1 and client certificates Date: Sat, 16 Feb 2013 23:35:33 +0200 References: To: "HttpComponents Project" In-Reply-To: X-Mailer: Apple Mail (2.1499) X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_4C3D7799-E123-43F4-93EC-7BED10D2C536 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 16 Feb 2013, at 9:42 PM, Graham Leggett wrote: > I am currently struggling with a problem attempting to use a client = certificate to connect to a secure website using httpclient v4.2.1. >=20 > When SSL debugging is enabled, I can see that despite the following -D = options being passed, the keyStore is completely ignored: >=20 > -Djavax.net.ssl.trustStore=3D/path/to/cacerts = -Djavax.net.ssl.keyStore=3D/path/to/certificate.p12 = -Djavax.net.ssl.keyStorePassword=3Dpassword = -Djavax.net.ssl.keyStoreType=3DPKCS12 >=20 > The file /path/to/cacerts is read correctly, and the trust chain of = the remote server is correctly verified. >=20 > The file /path/to/certificate.p12 is completely ignored, and the = remote server rejects the connection claiming (correctly) that the = certificate is missing. >=20 > Can anyone confirm whether a bug exists with httpclient and the = ability to specify a client certificate? All the docs I've read to date = suggest that httpdclient reads javax.net.ssl.keyStore, but the behaviour = I am seeing would suggest this is broken. Some digging through the source has revealed the problem. It appears there are two classes that instantiate an HTTP connection, = DefaultHttpClient and SystemDefaultHttpClient. Despite both claiming to = be "default" behaviour, the real default behaviour is given by = SystemDefaultHttpClient, which respects the -D parameters. DefaultHttpClient gives you semi-non-default behaviour. In this code the = javax.net.ssl.keyStore parameter is ignored, but = javax.net.ssl.trustStore is respected. I am assuming that the idea is = that the caller would set the certs themselves rather than rely on = system wide defaults, using the various constructors for = SSLSocketFactory. Regards, Graham -- --Apple-Mail=_4C3D7799-E123-43F4-93EC-7BED10D2C536 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMRDCCBU4w ggQ2oAMCAQICEFh4aE4AMxvXDqDMsrLTRhgwDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMjA2MTAwMDAwMDBaFw0x MzA2MTAyMzU5NTlaMIIBETEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFy cC5mbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfFKNXNAgdSNYJpArw4k7fFS4eb oK+cC/N93pqE+Zk57DmG4GJTr/ApvW/QtQlP7Prx1mE433jIBxV6Zk981kgVD2DZtZWqtZSicPNr Oyl5RGsrTJUgvg29x36ITeiBI0+JME4SOiwqoWkRh2VCe4ppCd/sjHMyYP587nGbuE8e7YXWpDcE r+j5ycQBDF4Yhs9tTrV3927nE1FBOS+yKFyql4Jded/x+lHs5o6JDqYM1KRGec86O2YUIyZJhGuP zJintlRPK9Tui4kjJPhmVTplkL9K7J5dFC5/ZYtsJMQENrCdkNiEcrVbFSlXmgbUAJxhnMtYmZnk xj/0puhpwyUCAwEAAaOB0jCBzzAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTALBgNVHQ8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9p bmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29tL0luZEMxRGlnaXRhbElELUczLmNybDAN BgkqhkiG9w0BAQUFAAOCAQEAzipzl6mxQzLx0EnMK4LcmwxNQy8GpxHps6WbWKsF7534aYZxiJ4z JlU88ZlqzQXahxmNXbZ2+/ZYSXQuSdfBx06kOh/TkQff+iE3rMhE1edZ4DNx3lMvqtWWcN46a/vz TiMuf3F+Oxw+qxX2VIx04H14pLoAeePwWQ+bjqicogB2WlkaZlOB7daCqnDizcfKdpeyOVOonWkE o/PUp8RiRZr3WdC9vhfrVtvMvRQHpjiqRZBeP3DpnzkB43LUvF1p81n7W+CJt24nrJPuO4dwYXMg rxUZ87YPmCgXBmdu5IOzSLV+z8hQboo+JtAO0c6uTv2ez2zuspKYzcmhBQN30DCCBu4wggXWoAMC AQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgG A1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFF MEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1 dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYT AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0 d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y cGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNp Z24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwTj+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElO i2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliWB6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJz IY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGcedAATDdCG2pNn+DMDrho8a2l49sAsjuGD P3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69ssQRevsG2lC2XkC0n0rse6YNqhPbEsq4j BmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOMWev7btVCxL5Bx/UCAwEAAaOCArkwggK1 MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMBIG A1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXATBWMCgGCCsGAQUFBwIB FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3 LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5j b20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9s b2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWUHJp dmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdhCEH9OASiS+e1zPVD9kkrEfgwgfEGA1Ud IwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFz cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSF CwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9BmYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQa ulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2Cz FYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqTOtWuEnAI6/s74nfs6CtkNXbNutrg0csU 1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih/1yybUneZVJC+w6I0u1KHb9L4/jMcvpI DmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0DuFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GC MYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0 IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90 IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmli ZXIgQ0EgLSBHMwIQWHhoTgAzG9cOoMyystNGGDAJBgUrDgMCGgUAoIICbTAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMzAyMTYyMTM1MzRaMCMGCSqGSIb3DQEJBDEW BBQWBuG5JADECUOXB9V9VxW+MjzV5zCCAQMGCSsGAQQBgjcQBDGB9TCB8jCB3TELMAkGA1UEBhMC VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3Jw YSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5WZXJpU2ln biBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEczAhBYeGhOADMb1w6gzLKy00YY MIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln biwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMg b2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBl cnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFs IFN1YnNjcmliZXIgQ0EgLSBHMwIQWHhoTgAzG9cOoMyystNGGDANBgkqhkiG9w0BAQEFAASCAQBK OtVdrbWKIPfGhtCXYxNZNmJfW8ulfKub+uzExYFrfV5fsK3DpYzQLMAqPNf3OBZRWnuyz0p6jKpS BZLDUTn49fnUvaPUo+cghUHMsX0J0yLV81kYv9xMN8NBbsNNn+GTyqW7OGZnVWhkfr8eWqpO0tZy 9iIrEanFwah0VbwS5ULZGxF16hjOWj++cuRg6VghHFcrNLPdlMcAfuIrA0ecpCv4fzZaBYyr9+xi j+kBMR2Q0ySkWvkftC0k3UxLY5OXZVAMXcZEgPhXoTZMklbNN+aCE9uv6M7kH/dKfiI65d+ZoWJq bVpxR2x6aJIS0K0El8JBaKJPJpjIxpXual/gAAAAAAAA --Apple-Mail=_4C3D7799-E123-43F4-93EC-7BED10D2C536--