hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Novotny <novo...@aei.mpg.de>
Subject Re: using SSL and trusted certs
Date Fri, 18 Mar 2005 21:58:37 GMT

Hi Mike,

    Thanks-- I checked that page out and found nothing of usefulness. 
The problem with that approach is I want to ship out some code that 
anyone can use, so it shouldn't have to reference a particular 
keystore-- the deployment of their particular trusted certs is an 
orthogonal issue.

The example found at 
http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/branches/HTTPCLIENT_2_0_BRANCH/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup

shows how one would have to do the following:

Protocol authhttps = new Protocol("https", 
 *          new AuthSSLProtocolSocketFactory(
 *              new URL("file:my.keystore"), "mypassword",
 *              new URL("file:my.truststore"), "mypassword"), 443);

This hardcoding of keystores and paths simply won't work in my situation.


     I was led to believe that adding the certs into the standard 
trusted certs location which I believe is 
$JAVA_HOME/jre/lib/security/cacerts should be the right approach-- I'm 
just wondering why it's not working-- is there a flag for more verbose 
JSSE logging-- so at least I can be sure what cacerts it is checking?

    Thanks, Jason


Michael Becke wrote:

>Hi Jason,
>
>HttpClient uses JSSE which works with self signed certs.  Please have
>a look at the HttpClient SSL page for some troubleshooting ideas
><http://jakarta.apache.org/commons/httpclient/sslguide.html>.
>
>Mike
>
>
>On Fri, 18 Mar 2005 10:46:45 -0800, Jason Novotny <novotny@aei.mpg.de> wrote:
>  
>
>>Hi,
>>
>>    I'm just trying to connect to Tomcat manager webapp over HTTPS:
>>
>>https://devportal.nersc.gov:11443/manager/list
>>
>>The webserver has its own certificate with 2 other certs in the chain. I
>>thought by adding the 3 certs to my JDK keystore, it would work, so I
>>tried importing them via keytool:
>>
>>keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
>>-keystore /usr/java/jre/lib/security/cacerts
>>
>>and when I do keytool -list -v -keystore
>>/usr/java/jre/lib/security/cacerts  I see they are all there. However,
>>my application still gives me the following:
>>
>>core.registry.impl.tomcat.TomcatManagerWrapper  - connecting to URL
>>https://devportal.nersc.gov:11443/manager/list
>>javax.net.ssl.SSLHandshakeException:
>>sun.security.validator.ValidatorException: No trusted certificate found
>>        at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>>        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>>        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>>        at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
>>
>>....
>>
>>This is java version "1.4.2_03" on Linux. Has anyone succesully used
>>httpclient SSL with their own trusted certs?
>>
>>    Thanks, Jason
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message