hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPASYNC-111) SSL issue using SSLIOSessionStrategy and PoolingNHttpClientConnectionManager
Date Mon, 22 Aug 2016 15:36:20 GMT

    [ https://issues.apache.org/jira/browse/HTTPASYNC-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15431017#comment-15431017
] 

Oleg Kalnichevski commented on HTTPASYNC-111:
---------------------------------------------

bq. I am running on WebSphere application server (v 8.5.1) and Java 1.6 

I overlooked the fact that you run your code inside WAS container. The problem is that many
app servers provide a preconfigured instance of {{SSLSocketFactory}} accessible through {{javax.net.ssl.SSLSocketFactory#getDefault()}}
that blocking HttpClient can make use of. 

https://github.com/apache/httpclient/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L190


This factory, however, is not applicable to HttpAsyncClient given that Socket API is inherently
blocking and there is no equivalent mechanism for non-blocking {{SSLEngine}} (at least in
1.7 and below) I know of. 

When using HttpAsyncClient inside WAS there is no way around configuring SSL context explicitly.

Oleg

> SSL issue using SSLIOSessionStrategy and PoolingNHttpClientConnectionManager
> ----------------------------------------------------------------------------
>
>                 Key: HTTPASYNC-111
>                 URL: https://issues.apache.org/jira/browse/HTTPASYNC-111
>             Project: HttpComponents HttpAsyncClient
>          Issue Type: Bug
>    Affects Versions: 4.1.1
>            Reporter: sudhish
>
> I am new to this so please pardon (and also educate me) if I am doing this wrong on this
board.
> I am running on WebSphere application server (v 8.5.1) and Java 1.6 
> I found an issue using the async client.. My code looks like this.
> Registry<SchemeIOSessionStrategy> sessionStrategyRegistry = RegistryBuilder.<SchemeIOSessionStrategy>create()
> 		            .register("http", NoopIOSessionStrategy.INSTANCE)
> 		            .register("https", SSLIOSessionStrategy.getSystemDefaultStrategy())
> 		            .build();
> 			 IOReactorConfig ioReactorConfig = IOReactorConfig.custom()
> 		                .setIoThreadCount(Runtime.getRuntime().availableProcessors())
> 		                .setConnectTimeout(30000)
> 		                .setSoTimeout(30000)
> 		                .build();
> 			 
> 			 ConnectingIOReactor ioReactor = new DefaultConnectingIOReactor(ioReactorConfig);
> 			
> 			 PoolingNHttpClientConnectionManager connManager = new PoolingNHttpClientConnectionManager(
> 		                ioReactor, sessionStrategyRegistry);
> 			 connManager.setDefaultMaxPerRoute(2);
> 			 connManager.setMaxTotal(20);
>           
> 			  
> 		 
> 	        closeableHttpAsyncClient = HttpAsyncClientBuilder.create()
> 	                		.setDefaultRequestConfig(RequestConfig.custom()
> 	                        				.setConnectionRequestTimeout(30000)
> 	                        				.setConnectTimeout(30000)
> 	                        			.setSocketTimeout(60000)
> 	                        			.setCookieSpec(CookieSpecs.IGNORE_COOKIES)
> 	                        			.build())
> 	                          .setConnectionManager(connManager)
> 	                          
> 	                .build();
> When I execute 
> Future<HttpResponse> future = closeableHttpAsyncClient.execute(request1, null);
> It fails with a
> aused by: 
> java.security.cert.CertPathValidatorException: The certificate issued by CN=Principal
Root CA G2 is not trusted; internal cause is: 
> 	java.security.cert.CertPathValidatorException: Certificate chaining error
> 	at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
> 	at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:176)
> 	at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
> 	at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
> 	at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
> 	at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
> 	... 25 more
> Caused by: 
> java.security.cert.CertPathValidatorException: Certificate chaining error
> 	at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
> 	at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
> 	... 30 more
> My certs are ok. 
> Without using Asycn client. When I run using non-async client. It works (working code
below). Since I am in WebSphere and it makes it own configurations for SSL. I was forced to
use 
> SSLConnectionSocketFactory.getSystemSocketFactory() <-- Without this, I get the same
error as above. 
> CloseableHttpClient client = HttpClients.custom()
> 		.setSSLSocketFactory(SSLConnectionSocketFactory.getSystemSocketFactory()) // this line
is key!
> 				.build();
> 		final HttpGet request1 = new HttpGet(Url);
> 		CloseableHttpResponse resp = client.execute(request1);
> I went through all your examples and under the assumption that
> SSLCOntext.createSystemDefault() should exhibit the same behaviour as 
> SSLConnectionSocketFactory.getSystemSocketFactory() ?.. 
> It appears its not?  Am I missing something?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message