hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon.Andr...@eu.nabgroup.com
Subject Re: [HttpClient] Trying To Connect SSL
Date Wed, 20 Jul 2005 08:36:00 GMT
Yes import it into your "trusted" cacerts file, it's not going to get 
picked up from the classpath. 
As Oleg says, you can choose to do this programmatically...

Remember that theJSSE differentiates between keystoresand truststore. 

Keystores (from JSSE's perspective) are databases of key pairs and 
certificates that are used to set up SSL authentication. #

Truststores are keystores that are used to verify the identities of other 
clients and servers - this is what you'll be updating...

When a client or server is setting up an SSL session, it will retrieve its 
certificates and keys from its keystore. 
When it verifies the identities of other clients or servers, it will 
retrieve trusted certification authority (CA) certificates from its 
JSSE looks for truststores using the following algorithm.
1.      If the javax.net.ssl.trustStore system property is defined, then the value 
of this property is used as the truststore's location.
2.      If the file lib/security/jssecacerts file is defined off of the java.home 
directory, then the jssecacerts file is used as the truststore.
3.      If the file lib/security/cacerts file is defined off of the java.home 
directory, then the cacerts file is used as the truststore.

I have had to learn this the hard way a couple of weeks ago!!

Oleg Kalnichevski <olegk@apache.org>
20/07/2005 08:51
Please respond to "HttpClient User Discussion"

        To:     HttpClient User Discussion <httpclient-user@jakarta.apache.org>, 
        Subject:        Re: [HttpClient] Trying To Connect SSL

On Wed, Jul 20, 2005 at 02:39:24AM -0400, bashiro wrote:
>  Hello, Thanks for the thorough explaination. I really appreciate 
that.The certificate is Equifax Secure certificate, as I checked from 
IE.Do you mean I should import this certificate to my class path or into 
the"cacerts" file as you pointed out ?  Thanks a lotbashiro---

If you do not feel like modifying the cacerts file consider using the
AuthSSLProtocolSocketFactory socket factory instead. For details see the


Hope this helps


To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

National Australia Group Europe Limited (Company Number 02108635, Registered Office 88 Wood
Street, London EC2V 7QQ) (NAGE) is a subsidiary of National Australia Bank Limited (an Australian
registered company). The following UK companies are authorised and regulated by the Financial
Services Authority: Clydesdale Bank PLC (trading as Clydesdale Bank and Yorkshire Bank), 
MLC Savings Limited, MLC Trust Management Company Limited, Clydesdale Bank Insurance Brokers
Limited, Yorkshire Bank Financial Services Limited, National Australia Insurance Services
Limited and Custom Fleet Limited. 

The views and opinions expressed in this email may not reflect the views and opinions of any
member of the group of which NAGE forms part. The information contained in this message is
confidential and may also be privileged. It is intended only for the addressee named above.
The unauthorised use, disclosure, copying or alteration of this message is strictly prohibited.
If you are not the addressee (or responsible for delivery of the message to the addressee),
please notify the originator immediately by return message and destroy the original message.
This message and any attachments have been scanned for viruses prior to leaving the NAGE network.
However, NAGE does not guarantee the security of this message and will not be responsible
for any damages arising as a result of any virus being passed on or arising from any alteration
of this message by a third party. NAGE may monitor emails sent to and from the NAGE network.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message