hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Vu <jtua...@yahoo.com>
Subject Re: How come my http-client is not presenting the certificate?
Date Sat, 07 Oct 2006 22:30:47 GMT
Julius:

I will try this on thursday next week and I will post
the results for you.

Thank you very much for your help and hopefully it
will work,
JT

--- Julius Davies <juliusdavies@cucbc.com> wrote:

> Hi, James,
> 
> Did you try the test below, where I analyzed the
> socket after the GET
> request had gone through?
> 
> final SSLSocket[] socket = new SSLSocket[ 1 ];
> 
> Inside the "SSLWrapperFactory" anonymous inner
> class, add this: 
> 
> socket[ 0 ] = s;
> 
> After the GET response has come back through
> httpclient, take a look at
> the client certs yet again:
> 
> Certificate[] certs = socket[ 0
> ].getSession().getLocalCertificates();
> if ( certs != null )
> {
>   System.out.println( "client certs:" );
>   for ( int i = 0; i < certs.length; i++ )
>   {
>     X509Certificate c = (X509Certificate) certs[ i
> ];
>     System.out.println( Certificates.toString( c )
> );
>   }
> }
> else
> {
>   System.out.println( "client certs: null" );
> }
> 
> For me that was showing that in the end httpclient
> did send the client
> cert, but perhaps it just didn't send it in time for
> the first request?
> 
> With that in mind I have one idea:
> 
> 1.  Use a "MultiThreadedHttpConnectionManager"
> configured to only pool a
> single connection, and try that initial GET request
> against the
> "LOCKDOWN" path twice.  That way hopefully the
> socket will be
> authenticated in time for the 2nd request.
> 
> (Be sure to read off the full reply of the first
> request before sending
> the second one).
> 
> MultiThreadedHttpConnectionManager connectionManager
> =  new MultiThreadedHttpConnectionManager();
> HttpConnectionManagerParams params =
> connectionManager.getParams();
> params.setDefaultMaxConnectionsPerHost( 1 );
> params.setMaxTotalConnections( 1 );	
> HttpClient client = new
> HttpClient(connectionManager);
> 
> So do the GET or POST request you had in mind a
> first time to try and
> get the ssl handshake to happen.  Then do your real
> GET or POST
> afterwards.  (Or maybe just start off with a HEAD
> request the first
> time.)
> 
> Since the ConnectionManager is only holding a single
> socket, hopefully
> that socket will stay in use (and not get shutdown),
> and become a
> special "authenticated" socket!
> 
> yours,
> 
> Julius
> 
> 
> 
> On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote:
> > Julius:
> > 
> > Thanks so much for your time.  The server that I
> am
> > connected to is "Netscape CMS 4.5" so I could not
> find
> > where to configure the WANT vs the NEED flag.  
> > 
> > So from what you are saying is that there is not
> much
> > else I can do with HttpClient and commons-ssl?  I
> know
> > that openssl worked since I have tested manually
> with
> > that, should I look at PureTLS (which is a Java
> > wrapper for openssl)?
> > 
> > what is your advice?  Where do I go from here?
> > 
> > thanks again,
> > JT
> > 
> > --- Julius Davies <juliusdavies@cucbc.com> wrote:
> > 
> > > ps.  If you can get your server to set itself
> into
> > > WANT-CLIENT-AUTH mode
> > > from the very beginning, things might work
> better. 
> > > WANT-CLIENT-AUTH
> > > mode still allows sockets that don't have client
> > > certificates to be
> > > established.
> > > 
> > > Only NEED-CLIENT-AUTH mode disallows socket
> creation
> > > in those cases.
> > > 
> > > So if your server was setup with
> WANT-CLIENT-AUTH
> > > mode right from the
> > > beginning, httpclient would be able to send the
> > > client cert on all
> > > requests, and not have to worry about this
> situation
> > > where a client cert
> > > is asked for right in the middle of a request
> (after
> > > the GET or POST
> > > line has been sent!).
> > > 
> > > But I would still like to see what it takes to
> get
> > > commons-ssl and
> > > httpclient to work flawlessly with the scenario
> > > you've identified.
> > > 
> > > 
> > > yours,
> > > 
> > > Julius
> > > 
> > > 
> > > On Fri, 2006-06-10 at 13:09 -0700, Julius Davies
> > > wrote:
> > > > Hi, James,
> > > > 
> > > > Wow!  A person can call the following in the
> > > middle of a TCP/IP session:
> > > > 
> > > > // This happens in the server:
> > > > // SSLSocket "s" came from an
> > > serverSocket.accept() call.
> > > > s.setNeedClientAuth( true );
> > > > s.getSession().invalidate();
> > > > s.startHandshake();
> > > > 
> > > > I didn't know that.
> > > > 
> > > > But commons-ssl didn't seem to mind at all.  I
> > > just needed to alter the
> > > > test code a little to see that it worked.  Add
> > > this at the top:
> > > > 
> > > > final SSLSocket[] socket = new SSLSocket[ 1 ];
> > > > 
> > > > Inside the "SSLWrapperFactory" anonymous inner
> > > class, add this:
> > > > 
> > > > socket[ 0 ] = s;
> > > > 
> > > > After everything is done, take a look at the
> > > client certs yet again:
> > > > 
> > > > Certificate[] certs = socket[ 0
> > > ].getSession().getLocalCertificates();
> > > > if ( certs != null )
> > > > {
> > > >   System.out.println( "client certs:" );
> > > >   for ( int i = 0; i < certs.length; i++ )
> > > >   {
> > > >     X509Certificate c = (X509Certificate)
> certs[ i
> > > ];
> > > >     System.out.println( Certificates.toString(
> c )
> > > );
> > > >   }
> > > > }
> > > > else
> > > > {
> > > >   System.out.println( "client certs: null" );
> > > > }
> > > > 
> > > > 
> > > > yours,
> > > > 
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message