hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Terehoff Alex" <terehoff_a...@bah.com>
Subject HttpClient with certificate issued by Oracle OCA
Date Wed, 26 Apr 2006 01:57:09 GMT
 

-----Original Message-----
From: Terehoff Alex 
Sent: Tuesday, April 25, 2006 9:20 PM
To: 'Julius Davies'
Subject: RE: HttpClient with certificate issued by Oracle OCA

Julius,
Thank you very much for the information. I will try to make a test case
today using your instructions. I still have a question.... You have
mentioned that it forces to pre-install (on your local machine) the
self-signed certificate you are going to trust... Did you mean user's pc
or App Server when referring to "Local Machine"?

We are using HttpClient within a web application to make calls to SSL
protected resources on the same or different servers but always on the
same domain.

Alex



-----Original Message-----
From: Julius Davies [mailto:juliusdavies@cucbc.com]
Sent: Tuesday, April 25, 2006 7:01 PM
To: HttpClient User Discussion
Cc: Terehoff Alex
Subject: Re: HttpClient with certificate issued by Oracle OCA

Hi, Alex,

Here's an old email I wrote in February about this.  It might help.


On Fri, 2006-17-02 at 14:21 -0800, Julius Davies wrote: 
> 
> I'm working on a solution to this.  I have to improve the comments and

> code style, but other than that, I think this should work for you!
> 
> http://juliusdavies.ca/httpclient-contrib/
> 
> You can compile the code yourself, or you can put 
> "httpclient-contrib.jar" in your classpath:
> 
> http://juliusdavies.ca/httpclient-contrib/httpclient-contrib.jar
> 
> Here are the instructions for use:
> 
> ===================================================
> 
> TrustSSLProtocolSocketFactory allows you exercise full control over 
> the HTTPS server certificates you are going to trust. Instead of 
> relying on the Certificate Authorities already present in 
> "jre/lib/security/cacerts", TrustSSLProtocolSocketFactory only trusts 
> the public certificates you provide to its constructor.
> 
> TrustSSLProtocolSocketFactory can be used to create SSLSockets that 
> accept self-signed certificates. Unlike EasySSLProtocolSocketFactory, 
> TrustSSLProtocolSocketFactory can be used in production. This is 
> because it forces you to pre-install (on your local machine) the 
> self-signed certificate you are going to trust.
> 
> TrustSSLProtocolSocketFactory can parse both Java Keystore Files
> (*.jks) and base64 PEM encoded public certificates (*.pem).
> 
> Example of using TrustSSLProtocolSocketFactory
> 
>  1.  First we must find the certificate we want to trust.  In this
example
>      we'll use gmail.google.com's certificate.
> 
>    openssl s_client -showcerts -connect gmail.google.com:443
> 
>  2.  Cut & paste into a "cert.pem" any certificates you are interested
in
>      trusting in accordance with your security policies.  In this
example I'll
>      actually use the current "gmail.google.com" certificate (instead
of the
>      Thawte CA certificate that signed the gmail certificate - that
would be
>      too boring) - but it expires on June 7th, 2006, so this example
won't be
>      useful for very long!
> 
>  Here's what my "cert.pem" file looks like:
> 
>  -----BEGIN CERTIFICATE-----
>  MIIDFjCCAn+gAwIBAgIDP3PeMA0GCSqGSIb3DQEBBAUAMEwxCzAJBgNVBAYTAlpB
>  MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMRYwFAYDVQQD
>  Ew1UaGF3dGUgU0dDIENBMB4XDTA1MDYwNzIyMTI1N1oXDTA2MDYwNzIyMTI1N1ow
>  ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
>  dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGTAXBgNVBAMTEGdtYWls
>  Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALoRiWYW0hZw
>  9TSn3s9912syZg1CP2TaC86PU1Ao2qf3pVu7Mx10Wl8W+aKZrQlvrYjTwku4sEh+
>  9uI+gWnfmCd0OyVcXr1eFOGCYiiyaPv79Wtb0m0d8GuiRSJhYkZGzGlgFViws2vR
>  BAMCD2fdp7WGJUVGYOO+s52dgAMUHQXxAgMBAAGjgecwgeQwKAYDVR0lBCEwHwYI
>  KwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0fBC8wLTAroCmgJ4Yl
>  aHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNybDByBggrBgEFBQcB
>  AQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wPgYIKwYB
>  BQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5L1RoYXd0ZV9T
>  R0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAktM1l1cV
>  ebi+Uo6fCE/eLnvvY6QbNNCsU5Pi9B5E1BlEUG+AGpgzE2cSPw1N4ZZb+2AWWwjx
>  H8/IrJ143KZZXM49ri3Z2e491Jj8qitrMauT7/hb16Jw6I02/74/do4TtHu/Eifr
>  EZCaSOobSHGeufHjlqlC3ehC4Bx4mLexIMk=
>  -----END CERTIFICATE-----
> 
>  3.  Run "openssl x509" to analyze the certificate more deeply.  This
helps
>      us answer questions like "Do we really want to trust it?  When
does it
>      expire? What's the value of the CN (Common Name) field?".
> 
>      "openssl x509" is also super cool, and will impress all your
friends,
>      coworkers, family, and that cute girl at the starbucks.   :-)
> 
>      If you dig through "man x509" you'll find this example.  Run it:
> 
>     openssl x509 -in cert.pem -noout -text
> 
>  4.  Rename "cert.pem" to "gmail.pem" so that step 5 works.
> 
>  5.  Setup the TrustSSLProtocolSocketFactory to trust
"gmail.google.com"
>      for URLS of the form "https-gmail://" - but don't trust anything
else
>      when using "https-gmail://":
> 
>      TrustSSLProtocolSocketFactory sf = new
TrustSSLProtocolSocketFactory( "/path/to/gmail.pem" );
>      Protocol trustHttps = new Protocol("https-gmail", sf, 443);
>      Protocol.registerProtocol("https-gmail", trustHttps);
> 
>      HttpClient client = new HttpClient();
>      GetMethod httpget = new
GetMethod("https-gmail://gmail.google.com/");
>      client.executeMethod(httpget);
> 
>  6.  Notice that "https-gmail://" cannot connect to
"www.wellsfargo.com" -
>      the server's certificate isn't trusted!  It would still work
using
>      regular "https://" because Java would use the
"jre/lib/security/cacerts"
>      file.
> 
>      httpget = new GetMethod("https-gmail://www.wellsfargo.com/");
>      client.executeMethod(httpget);
> 
>  javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: No trusted certificate 
> found
> 
> 
>  7.  Of course "https-gmail://" cannot connect to hosts where the CN
field
>      in the certificate doesn't match the hostname.  The same is
supposed to
>      be true of regular "https://", but HTTPClient is a bit lenient.
> 
>      httpget = new GetMethod("https-gmail://gmail.com/");
>      client.executeMethod(httpget);
> 
>  javax.net.ssl.SSLException: hostname in certificate didn't match: 
> <gmail.com> != <gmail.google.com>
> 
> 
>  8.  You can use "*.jks" files instead of "*.pem" if you prefer.  Use
the 2nd constructor
>      in that case to pass along the JKS password:
> 
>    new TrustSSLProtocolSocketFactory( "/path/to/gmail.jks",
> "my_password".toCharArray() );
> 
>  
> 
> On Fri, 2006-17-02 at 10:54 -0500, jwa@urbancode.com wrote:
> > I have a site using a self-signed certificate.
> > Is there a default local trustStore (and default password) that 
> > httpclient will use without having to set the
javax.net.ssl.trusStore systemProperty?
> > 
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: 
> > httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: 
> > httpclient-user-help@jakarta.apache.org
> > 
> 


On Tue, 2006-25-04 at 18:32 -0400, Terehoff Alex wrote:
> We are using HttpClient with EasySSLProtocolSocketFactory and 
> EasyX509TrustManager over SSL enabled on Oracle Application Server 10g

> and we are getting the following error:
>  
> 
> java.security.cert.CertificateException: Untrusted Server Certificate 
> Chain
>  
> We are using Oracle OCA (Certificate Authority) and Wallet manager. 
> Sertificate is configured correctly and works OK when using Web 
> Browser (IE, Mozilla, Netscape). The issue however comes when we are 
> attempting to use HttpClient  to make a call to one of the SSL 
> protected resources on the AS, as the certificate is self-signed and
untrusted.
>  
> I wonder if sombody can give an advise how to resolve this issue. 
>  
> In production release we are planning to use self-signed certificates.
>  
> Here is a trace from the log generated by HttpClient about the 
> certificate including the error:
> 


--
Julius Davies
Senior Application Developer, Technology Services Credit Union Central
of British Columbia http://www.cucbc.com/
Tel: 604-730-6385
Cel: 604-868-7571
Fax: 604-737-5910

1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7

http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message