hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "sudip shrestha" <sud...@gmail.com>
Subject Re: Fwd: SSLHandshakeException with apache+tomcat httpd server
Date Sat, 06 May 2006 18:26:34 GMT
Thanks Julius, Your solution is much easier to work with than the one I put
together.

On 5/6/06, Julius Davies <juliusdavies@cucbc.com> wrote:
>
> Hi, Sudip,
>
> I think I have a solution.
>
> You will need to download the latest version of "commons-ssl.jar" that I
> am working on.  It now includes modified versions of the "
> org.apache.commons.httpclient.contrib.ssl" classes.
>
> http://juliusdavies.ca/commons-ssl/
>
> I've created a TrustExample.java file for you.  Try running its main
> method with the following jars in your classpath:
>
> commons-codec.jar
> commons-httpclient.jar
> commons-logging.jar
> commons-ssl.jar
>
> It should output the following:
>
> HTTPClient: HTTP/1.1 200 OK
> Java:       javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found
>
>
> Here's are two links to TrustExample.java (the second link uses HTML for
> syntax highlighting):
>
> http://juliusdavies.ca/commons-ssl/TrustExample.java
> http://juliusdavies.ca/commons-ssl/TrustExample.java.html
>
> I hope this helps.  Thanks for your help testing the proxy feature of my
> commons-ssl Ping utility!  I'm glad to hear it works!
>
>
> yours,
>
> Julius
>
>
> -----Original Message-----
> From:   sudip shrestha [mailto:sudipx@gmail.com]
> Sent:   Fri 5/5/2006 7:13 PM
> To:     Julius Davies
> Cc:
> Subject:        Re: Fwd: SSLHandshakeException with apache+tomcat httpd
> server
>
> It seemed to work ok.... I am sort of wondering how do I  attach the
> my.keystore file with the applet.
>
> This was the output:
> --------------------------------
>
> HEAD / HTTP/1.1
> Host: mydomain.com
>
> Reading:
>
> ================================================================================
> HTTP/1.1 302 Moved Temporarily
> Date: Sat, 06 May 2006 02:05:19 GMT
> Server: Apache
> Set-Cookie: JSESSIONID=87BD0090FE9C884140543A2F3662D0EE; Path=/; Secure
> Location:
>
> https://mydomain/actions/checkSession.do;jsessionid=87BD0090FE9C884140543A2F3662D0EE?method=checkSession
> Content-Type: httpd/unix-directory
>
> Server Certificate Chain for: [mydomain.com/ipaddx:443]
>
> ================================================================================
> s.0: CN=mydomain.com, OU=InstantSSL, OU=IS, O=xxx, STREET=addr,
> STREET=xxx,
> L=xx, ST=xx, OID.add=00000-1892, C=US
> i.0: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
> O=AddTrust AB, C=SE
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> s.1: CN=AddTrust External CA Root, OU=AddTrust External TTP Network,
> O=AddTrust AB, C=SE
>
> i.1: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
> USERTRUST
> Network, L=Salt Lake City, ST=UT, C=US
> -----BEGIN CERTIFICATE-----
> MIIETzCCAzegAwIBAgIQHM5EYpUZep1jUvnyI6m2mDANBgkqhkiG9w0BAQUFADCB
> lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
> Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
> dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
> SGFyZHdhcmUwHhcNMDUwNjA3MDgwOTEwWhcNMTkwNzA5MTgxOTIyWjBvMQswCQYD
> VQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0
> IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h
> bCBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/caM+by
> AAQtOeBOW+0fvGwPzbX6I7bO3psRM5ekKUx9k5+9SryT7QMa44/P5W1QWtaXKZRa
> gLBJetsulf24yr83OC0ePpFBrXBWx/BPP+gynnTKyJBU6cZfD3idmkA8Dqxhql4U
> j56HoWpQ3NeaTq8Fs6ZxlJxxs1BgCscTnTgHhgKo6ahpJhiQq0ywTyOrOk+E2N/O
> n+Fpb7vXQtdrROTHre5tQV9yWnEIN7N5ZaRZoJQ39wAvDcKSctrQOHLbFKhFxF0q
> fbe01sTurM0TRLfJK91DACX6YblpalgjEbenM49WdVn1zSnXRrcKK2W200JvFbK4
> e/vv6V1T1TRaJwIDAQABo4G9MIG6MB8GA1UdIwQYMBaAFKFyXyYbKJhDlV0HN9WF
> lp1L0sNFMB0GA1UdDgQWBBStvZh6NLQm9/rEJlTvA73gJMtUGjAOBgNVHQ8BAf8E
> BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQIwRAYDVR0f
> BD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmly
> c3QtSGFyZHdhcmUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQByQhANOs4kClrwF8BW
> onvUOGCSjRK52zYZgDXYNjDtmr5rJ6NyPFDNn+JxkLpjYetIFMTbSRe679Bt8m7a
> gIAoQYFQtxMuyLnJegB2aEbQiIxh/tC21UcFF7ktdnDoTlA6w3pLuvunaI84Of3o
> 2YBrhzkTbCfaYk5JRlTpudW9DkUkHBsyx3nknPKnplkIGaK0jgn8E0n+SFabYaHk
> I9LroYT/+JtLefh9lgBdAgVv0UPbzoGfuDsrk/Zh+UrgbLFpHoVnElhzbkh64Z0X
> OGaJunQc68cCZu5HTn/aK7fBGMcVflRCXLVEQpU9PIAdGA8Ynvg684t8GMaKsRl1
> jIGZ
> -----END CERTIFICATE-----
>
>
>
>
>
> On 5/5/06, Julius Davies <juliusdavies@cucbc.com> wrote:
> >
> > Hi, Sudip,
> >
> > Thanks for your interesting question!  I added a "proxy" option to the
> > "commons-ssl.jar" tool.
> >
> > I realize you've already progressed on your problem, but would you mind
> > testing this option for me?
> >
> > Here's the lastest version:
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> > In particular:
> >
> > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> >
> >
> > Please try running:
> >
> > java -jar commons-ssl.jar -t [mydomain.com]:443 -r [myproxy.com]:80
> >
> > Does it work?
> >
> >
> >
> > yours,
> >
> > Julius
> >
> >
> >
> ==============================================================================
> > Usage:  java -jar commons-ssl.jar [options]
> > Options:   (*=required)
> > *  -t  --target           [hostname[:port]]             default port=443
> >   -b  --bind             [hostname[:port]]             default port=0
> > "ANY"
> >   -r  --proxy            [hostname[:port]]             default port=80
> >   -c  --client-cert      [path to client certificate]  *.jks or *.pfx
> >   -p  --password         [client cert password]
> >
> > Example:
> >
> > java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat
> > ./pass.txt`
> >
> >
> ==============================================================================
> >
> >
> > On Fri, 2006-05-05 at 15:38 -0500, sudip shrestha wrote:
> > > I am not sure on how to deploy the my.keystore file with the
> > applet?  Thanks
> > > for any suggestions.
> > >
> > > ---------- Forwarded message ----------
> > > From: sudip shrestha <sudipx@gmail.com>
> > > Date: May 5, 2006 2:08 PM
> > > Subject: Re: SSLHandshakeException with apache+tomcat httpd server
> > > To: Julius Davies <juliusdavies@cucbc.com>
> > >
> > > Hi,
> > > OK... This is what I did and fixed my problem:
> > > 1. I first got my keystore from CA-cert:
> > > keytool -import -trustcacerts -keystore my.keystore -file
> > > mydomain.com.crt-alias mydomainkey
> > > 2. Then added a line before creating new Protocol object with
> > > StrictSSLProtocolSocketFactory:
> > > ------------------
> > >     System.setProperty("javax.net.ssl.trustStore", "my.keystore");
> > >
> > >     Protocol stricthttps = new Protocol( "https", new
> > > StrictSSLProtocolSocketFactory(true), 443);
> > >     httpclient.getHostConfiguration().setHost("mydomain.com", 443,
> > > stricthttps);
> > >
> > >     httpclient.executeMethod( httpget );
> > >     System.out.println( new String( httpget.getResponseBody () ) );
> > >
> > >     System.out.println( httpget.getStatusLine() );
> > > ------------------
> > > Then, I was able to get secure urls normally from mydomain.com.  But
> now
> > I
> > > am wondering how do I put my.keystore file in the client machine, as
> > these
> > > urls will be accessed by an Applet.
> > >
> > >
> > >
> > > On 5/5/06, sudip shrestha < sudipx@gmail.com> wrote:
> > > >
> > > > Julius, Thanks for your replay.  We have a proxy server to go
> thru...
> > How
> > > > do I define a proxy server/port in command line with java -jar
> > > > commons-ssl.jar -t [ mydomain.com]:443?
> > > >
> > > > Because, right now, this is all I get:
> > > > java.net.SocketTimeoutException: connect timed out
> > > >         at java.net.PlainSocketImpl.socketConnect(Native Method)
> > > >         at java.net.PlainSocketImpl.doConnect (Unknown Source)
> > > >         at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
> > > >         at java.net.PlainSocketImpl.connect(Unknown Source)
> > > >         at java.net.SocksSocketImpl.connect(Unknown Source)
> > > >         at java.net.Socket.connect(Unknown Source)
> > > >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect
> (Unknown
> > > > Source)
> > > >         at org.apache.commons.ssl.SSLClient.createSocket(
> > SSLClient.java
> > > > :189)
> > > >         at org.apache.commons.ssl.SSLClient.createSocket (
> > SSLClient.java
> > > > :157)
> > > >         at org.apache.commons.ssl.SSLClient.createSocket(
> > SSLClient.java
> > > > :149)
> > > >         at org.apache.commons.ssl.Ping.main(Ping.java:136)
> > > >
> > > >
> > > > On 5/5/06, Julius Davies <juliusdavies@cucbc.com> wrote:
> > > > >
> > > > > Hi, Sudip,
> > > > >
> > > > > I'm working on a tool to help diagnose these kinds of
> problems.  Can
> > you
> > > > > try this tool and report back on the output?
> > > > >
> > > > > http://juliusdavies.ca/commons-ssl/
> > > > >
> > > > > In particular, download:
> > > > >
> > > > > http://juliusdavies.ca/commons-ssl/commons-ssl.jar
> > > > >
> > > > > And then run:
> > > > >
> > > > > java -jar commons-ssl.jar -t [ mydomain.com]:443
> > > > >
> > > > > (You'll have to replace mydomain.com with the server in particular
> > that
> > > > > you are using.)
> > > > >
> > > > > yours,
> > > > >
> > > > > Julius
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From:   sudip shrestha [mailto:sudipx@gmail.com]
> > > > > Sent:   Fri 5/5/2006 9:20 AM
> > > > > To:     httpclient-user@jakarta.apache.org
> > > > > Cc:
> > > > > Subject:        SSLHandshakeException with apache+tomcat httpd
> > server
> > > > >
> > > > > Hi,
> > > > > I have apache httpd 2.0 server working with Tomcat 5.5.7 that
> server
> > > > > dynamic
> > > > > contents.  Only HTTPS requests are allowed by this server.  We
> have
> > a
> > > > > trusted certificate from a CA, comodo. I have written an applet
> that
> > > > > needs
> > > > > to talk to this server via ssl.
> > > > > I have added the cert from the CA to the jdk keystore
> with:  keytool
> > > > > -import
> > > > > -file mydomain.com.crt.
> > > > >
> > > > > So, when I use this piece of code below to make a connection I get
> > an
> > > > > Exception:
> > > > >
> > > > > javax.net.ssl.SSLHandshakeException:
> > > > > sun.security.validator.ValidatorException: PKIX path buil
> > > > > ding failed:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > > > unable to find valid
> > > > > certification path to requested target
> > > > >         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException
> > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal
> (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> > > > > Source)
> > > > >         at
> > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate
> (Unknown
> > > > > Source)
> > > > >         at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > > > > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop
> > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.Handshaker.process_record
> > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
> > (Unknown
> > > > > Source)
> > > > >         at
> > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > > > > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord
> > > > > (Unknown
> > > > > Source)
> > > > >         at com.sun.net.ssl.internal.ssl.AppOutputStream.write
> > (Unknown
> > > > > Source)
> > > > >         at java.io.BufferedOutputStream.flushBuffer(Unknown
> Source)
> > > > >         at java.io.BufferedOutputStream.flush(Unknown Source)
> > > > >         at
> > > > >
> > org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
> > > > > (HttpConnectio
> > > > > n.java:827)
> > > > >         at
> org.apache.commons.httpclient.HttpMethodBase.writeRequest(
> > > > > HttpMethodBase.java:1975)
> > > > >
> > > > >         at org.apache.commons.httpclient.HttpMethodBase.execute(
> > > > > HttpMethodBase.java:993)
> > > > >         at
> > > > > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry
> > > > > (HttpMethodDirecto
> > > > > r.java:397)
> > > > >         at
> > > > > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> > > > > HttpMethodDirector.j
> > > > > ava:170)
> > > > >         at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > > HttpClient.java:396)
> > > > >         at org.apache.commons.httpclient.HttpClient.executeMethod(
> > > > > HttpClient.java:324)
> > > > >         at main.main(main.java:54)
> > > > > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building
> > > > > failed: sun.security .
> > > > > provider.certpath.SunCertPathBuilderException: unable to find
> valid
> > > > > certification path to requ
> > > > > ested target
> > > > >         at sun.security.validator.PKIXValidator.doBuild(Unknown
> > Source)
> > > > >         at sun.security.validator.PKIXValidator.engineValidate
> (Unknown
> > > > > Source)
> > > > >         at sun.security.validator.Validator.validate(Unknown
> Source)
> > > > >         at
> > > > >
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> > > > > (Unknown
> > > > > Source
> > > > > )
> > > > >         at
> > > > >
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
> > (Unknown
> > > > > Source
> > > > > )
> > > > >         ... 18 more
> > > > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > > > unable to find valid ce
> > > > > rtification path to requested target
> > > > >         at
> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > > > > Source)
> > > > >         at java.security.cert.CertPathBuilder.build(Unknown
> Source)
> > > > >         ... 23 more
> > > > > ----------------------------------------------------------------
> > > > > Test Code:
> > > > > ---------------
> > > > >   HttpClient httpclient = new HttpClient();
> > > > >   GetMethod httpget = new GetMethod("https://mydomain.com/");
> > > > >   try {
> > > > >
> > > > > *     //Protocol easyhttps = new Protocol("https", new
> > > > > EasySSLProtocolSocketFactory(), 443);
> > > > >      //Protocol.registerProtocol("https", easyhttps);*
> > > > >
> > > > >     httpclient.executeMethod(httpget);
> > > > >
> > > > >     System.out.println( httpget.getStatusLine() );
> > > > >
> > > > >   } catch(Exception e) {
> > > > >     e.printStackTrace ();
> > > > >   } finally {
> > > > >     httpget.releaseConnection();
> > > > >   }
> > > > > ----------------------------------------------------------------
> > > > >
> > > > > I have tried this with/without the *EasySSLProtocolSocketFactory
> and
> > I
> > > > > get
> > > > > the same result.   Searched through the archive but could not move
> > > > > forward.
> > > > >
> > > > > In my case, all the SSL requests are handled by apache first, so
> is
> > > > > there
> > > > > something else that I have to do to make it work?... thanks....
> > > > > *
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > --
> > Julius Davies
> > Senior Application Developer, Technology Services
> > Credit Union Central of British Columbia
> > http://www.cucbc.com/
> > Tel: 604-730-6385
> > Cel: 604-868-7571
> > Fax: 604-737-5910
> >
> > 1441 Creekside Drive
> > Vancouver, BC
> > Canada
> > V6J 4S7
> >
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message