hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Vu <jtua...@yahoo.com>
Subject Re: How come my http-client is not presenting the certificate?
Date Thu, 12 Oct 2006 12:00:42 GMT
Julius:

This is not looking good at all.  It did not work for
me.  I get the client: null mesage.  I tried head and
then get and also get/releasseConnection/get again
which also fails.

I am running out of ideas.

JT

--- James Vu <jtuan98@yahoo.com> wrote:

> Julius:
> 
> I will try this on thursday next week and I will
> post
> the results for you.
> 
> Thank you very much for your help and hopefully it
> will work,
> JT
> 
> --- Julius Davies <juliusdavies@cucbc.com> wrote:
> 
> > Hi, James,
> > 
> > Did you try the test below, where I analyzed the
> > socket after the GET
> > request had gone through?
> > 
> > final SSLSocket[] socket = new SSLSocket[ 1 ];
> > 
> > Inside the "SSLWrapperFactory" anonymous inner
> > class, add this: 
> > 
> > socket[ 0 ] = s;
> > 
> > After the GET response has come back through
> > httpclient, take a look at
> > the client certs yet again:
> > 
> > Certificate[] certs = socket[ 0
> > ].getSession().getLocalCertificates();
> > if ( certs != null )
> > {
> >   System.out.println( "client certs:" );
> >   for ( int i = 0; i < certs.length; i++ )
> >   {
> >     X509Certificate c = (X509Certificate) certs[ i
> > ];
> >     System.out.println( Certificates.toString( c )
> > );
> >   }
> > }
> > else
> > {
> >   System.out.println( "client certs: null" );
> > }
> > 
> > For me that was showing that in the end httpclient
> > did send the client
> > cert, but perhaps it just didn't send it in time
> for
> > the first request?
> > 
> > With that in mind I have one idea:
> > 
> > 1.  Use a "MultiThreadedHttpConnectionManager"
> > configured to only pool a
> > single connection, and try that initial GET
> request
> > against the
> > "LOCKDOWN" path twice.  That way hopefully the
> > socket will be
> > authenticated in time for the 2nd request.
> > 
> > (Be sure to read off the full reply of the first
> > request before sending
> > the second one).
> > 
> > MultiThreadedHttpConnectionManager
> connectionManager
> > =  new MultiThreadedHttpConnectionManager();
> > HttpConnectionManagerParams params =
> > connectionManager.getParams();
> > params.setDefaultMaxConnectionsPerHost( 1 );
> > params.setMaxTotalConnections( 1 );	
> > HttpClient client = new
> > HttpClient(connectionManager);
> > 
> > So do the GET or POST request you had in mind a
> > first time to try and
> > get the ssl handshake to happen.  Then do your
> real
> > GET or POST
> > afterwards.  (Or maybe just start off with a HEAD
> > request the first
> > time.)
> > 
> > Since the ConnectionManager is only holding a
> single
> > socket, hopefully
> > that socket will stay in use (and not get
> shutdown),
> > and become a
> > special "authenticated" socket!
> > 
> > yours,
> > 
> > Julius
> > 
> > 
> > 
> > On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote:
> > > Julius:
> > > 
> > > Thanks so much for your time.  The server that I
> > am
> > > connected to is "Netscape CMS 4.5" so I could
> not
> > find
> > > where to configure the WANT vs the NEED flag.  
> > > 
> > > So from what you are saying is that there is not
> > much
> > > else I can do with HttpClient and commons-ssl? 
> I
> > know
> > > that openssl worked since I have tested manually
> > with
> > > that, should I look at PureTLS (which is a Java
> > > wrapper for openssl)?
> > > 
> > > what is your advice?  Where do I go from here?
> > > 
> > > thanks again,
> > > JT
> > > 
> > > --- Julius Davies <juliusdavies@cucbc.com>
> wrote:
> > > 
> > > > ps.  If you can get your server to set itself
> > into
> > > > WANT-CLIENT-AUTH mode
> > > > from the very beginning, things might work
> > better. 
> > > > WANT-CLIENT-AUTH
> > > > mode still allows sockets that don't have
> client
> > > > certificates to be
> > > > established.
> > > > 
> > > > Only NEED-CLIENT-AUTH mode disallows socket
> > creation
> > > > in those cases.
> > > > 
> > > > So if your server was setup with
> > WANT-CLIENT-AUTH
> > > > mode right from the
> > > > beginning, httpclient would be able to send
> the
> > > > client cert on all
> > > > requests, and not have to worry about this
> > situation
> > > > where a client cert
> > > > is asked for right in the middle of a request
> > (after
> > > > the GET or POST
> > > > line has been sent!).
> > > > 
> > > > But I would still like to see what it takes to
> > get
> > > > commons-ssl and
> > > > httpclient to work flawlessly with the
> scenario
> > > > you've identified.
> > > > 
> > > > 
> > > > yours,
> > > > 
> > > > Julius
> > > > 
> > > > 
> > > > On Fri, 2006-06-10 at 13:09 -0700, Julius
> Davies
> > > > wrote:
> > > > > Hi, James,
> > > > > 
> > > > > Wow!  A person can call the following in the
> > > > middle of a TCP/IP session:
> > > > > 
> > > > > // This happens in the server:
> > > > > // SSLSocket "s" came from an
> > > > serverSocket.accept() call.
> > > > > s.setNeedClientAuth( true );
> > > > > s.getSession().invalidate();
> > > > > s.startHandshake();
> > > > > 
> > > > > I didn't know that.
> > > > > 
> > > > > But commons-ssl didn't seem to mind at all. 
> I
> > > > just needed to alter the
> > > > > test code a little to see that it worked. 
> Add
> > > > this at the top:
> > > > > 
> > > > > final SSLSocket[] socket = new SSLSocket[ 1
> ];
> > > > > 
> > > > > Inside the "SSLWrapperFactory" anonymous
> inner
> > > > class, add this:
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message