hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julius Davies <juliusdav...@cucbc.com>
Subject Re: How come my http-client is not presenting the certificate?
Date Sat, 07 Oct 2006 14:28:24 GMT
Hi, James,

Did you try the test below, where I analyzed the socket after the GET
request had gone through?

final SSLSocket[] socket = new SSLSocket[ 1 ];

Inside the "SSLWrapperFactory" anonymous inner class, add this: 

socket[ 0 ] = s;

After the GET response has come back through httpclient, take a look at
the client certs yet again:

Certificate[] certs = socket[ 0 ].getSession().getLocalCertificates();
if ( certs != null )
{
  System.out.println( "client certs:" );
  for ( int i = 0; i < certs.length; i++ )
  {
    X509Certificate c = (X509Certificate) certs[ i ];
    System.out.println( Certificates.toString( c ) );
  }
}
else
{
  System.out.println( "client certs: null" );
}

For me that was showing that in the end httpclient did send the client
cert, but perhaps it just didn't send it in time for the first request?

With that in mind I have one idea:

1.  Use a "MultiThreadedHttpConnectionManager" configured to only pool a
single connection, and try that initial GET request against the
"LOCKDOWN" path twice.  That way hopefully the socket will be
authenticated in time for the 2nd request.

(Be sure to read off the full reply of the first request before sending
the second one).

MultiThreadedHttpConnectionManager connectionManager =  new MultiThreadedHttpConnectionManager();
HttpConnectionManagerParams params = connectionManager.getParams();
params.setDefaultMaxConnectionsPerHost( 1 );
params.setMaxTotalConnections( 1 );	
HttpClient client = new HttpClient(connectionManager);

So do the GET or POST request you had in mind a first time to try and
get the ssl handshake to happen.  Then do your real GET or POST
afterwards.  (Or maybe just start off with a HEAD request the first
time.)

Since the ConnectionManager is only holding a single socket, hopefully
that socket will stay in use (and not get shutdown), and become a
special "authenticated" socket!

yours,

Julius



On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote:
> Julius:
> 
> Thanks so much for your time.  The server that I am
> connected to is "Netscape CMS 4.5" so I could not find
> where to configure the WANT vs the NEED flag.  
> 
> So from what you are saying is that there is not much
> else I can do with HttpClient and commons-ssl?  I know
> that openssl worked since I have tested manually with
> that, should I look at PureTLS (which is a Java
> wrapper for openssl)?
> 
> what is your advice?  Where do I go from here?
> 
> thanks again,
> JT
> 
> --- Julius Davies <juliusdavies@cucbc.com> wrote:
> 
> > ps.  If you can get your server to set itself into
> > WANT-CLIENT-AUTH mode
> > from the very beginning, things might work better. 
> > WANT-CLIENT-AUTH
> > mode still allows sockets that don't have client
> > certificates to be
> > established.
> > 
> > Only NEED-CLIENT-AUTH mode disallows socket creation
> > in those cases.
> > 
> > So if your server was setup with WANT-CLIENT-AUTH
> > mode right from the
> > beginning, httpclient would be able to send the
> > client cert on all
> > requests, and not have to worry about this situation
> > where a client cert
> > is asked for right in the middle of a request (after
> > the GET or POST
> > line has been sent!).
> > 
> > But I would still like to see what it takes to get
> > commons-ssl and
> > httpclient to work flawlessly with the scenario
> > you've identified.
> > 
> > 
> > yours,
> > 
> > Julius
> > 
> > 
> > On Fri, 2006-06-10 at 13:09 -0700, Julius Davies
> > wrote:
> > > Hi, James,
> > > 
> > > Wow!  A person can call the following in the
> > middle of a TCP/IP session:
> > > 
> > > // This happens in the server:
> > > // SSLSocket "s" came from an
> > serverSocket.accept() call.
> > > s.setNeedClientAuth( true );
> > > s.getSession().invalidate();
> > > s.startHandshake();
> > > 
> > > I didn't know that.
> > > 
> > > But commons-ssl didn't seem to mind at all.  I
> > just needed to alter the
> > > test code a little to see that it worked.  Add
> > this at the top:
> > > 
> > > final SSLSocket[] socket = new SSLSocket[ 1 ];
> > > 
> > > Inside the "SSLWrapperFactory" anonymous inner
> > class, add this:
> > > 
> > > socket[ 0 ] = s;
> > > 
> > > After everything is done, take a look at the
> > client certs yet again:
> > > 
> > > Certificate[] certs = socket[ 0
> > ].getSession().getLocalCertificates();
> > > if ( certs != null )
> > > {
> > >   System.out.println( "client certs:" );
> > >   for ( int i = 0; i < certs.length; i++ )
> > >   {
> > >     X509Certificate c = (X509Certificate) certs[ i
> > ];
> > >     System.out.println( Certificates.toString( c )
> > );
> > >   }
> > > }
> > > else
> > > {
> > >   System.out.println( "client certs: null" );
> > > }
> > > 
> > > 
> > > yours,
> > > 
> > > Julius
> > > 

-- 
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 416-652-0183
Cel: 647-232-7571

1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message