Return-Path: Delivered-To: apmail-jakarta-httpclient-user-archive@www.apache.org Received: (qmail 41396 invoked from network); 8 Oct 2006 16:18:51 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 8 Oct 2006 16:18:51 -0000 Received: (qmail 79538 invoked by uid 500); 8 Oct 2006 16:18:50 -0000 Delivered-To: apmail-jakarta-httpclient-user-archive@jakarta.apache.org Received: (qmail 79326 invoked by uid 500); 8 Oct 2006 16:18:49 -0000 Mailing-List: contact httpclient-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: "HttpClient User Discussion" Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-user@jakarta.apache.org Delivered-To: moderator for httpclient-user@jakarta.apache.org Received: (qmail 26579 invoked by uid 99); 7 Oct 2006 22:30:52 -0000 Authentication-Results: idunn.apache.osuosl.org header.from=jtuan98@yahoo.com; domainkeys=good X-ASF-Spam-Status: No, hits=2.8 required=5.0 tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=mogBxX3C0DMaafdYn83Oi7VPSJXbbbB+3q37ioTvkkzTjBmK6HmZ6XYu5e8852PGXCYGOg5mpCi9olCQwnjFw7H0mq6Vcw/hXgXiiqaCms0K/9wyrNSNwc9QU7PZfmVaxkqcRUE1CoHVnRCD6hux+NVQSeqE90kR9WOKLjE0PZQ= ; Message-ID: <20061007223047.31905.qmail@web54209.mail.yahoo.com> Date: Sat, 7 Oct 2006 15:30:47 -0700 (PDT) From: James Vu Subject: Re: How come my http-client is not presenting the certificate? To: juliusdavies@cucbc.com Cc: httpclient-user@jakarta.apache.org In-Reply-To: <1160231304.4225.17.camel@angryarab.blogspot.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Julius: I will try this on thursday next week and I will post the results for you. Thank you very much for your help and hopefully it will work, JT --- Julius Davies wrote: > Hi, James, > > Did you try the test below, where I analyzed the > socket after the GET > request had gone through? > > final SSLSocket[] socket = new SSLSocket[ 1 ]; > > Inside the "SSLWrapperFactory" anonymous inner > class, add this: > > socket[ 0 ] = s; > > After the GET response has come back through > httpclient, take a look at > the client certs yet again: > > Certificate[] certs = socket[ 0 > ].getSession().getLocalCertificates(); > if ( certs != null ) > { > System.out.println( "client certs:" ); > for ( int i = 0; i < certs.length; i++ ) > { > X509Certificate c = (X509Certificate) certs[ i > ]; > System.out.println( Certificates.toString( c ) > ); > } > } > else > { > System.out.println( "client certs: null" ); > } > > For me that was showing that in the end httpclient > did send the client > cert, but perhaps it just didn't send it in time for > the first request? > > With that in mind I have one idea: > > 1. Use a "MultiThreadedHttpConnectionManager" > configured to only pool a > single connection, and try that initial GET request > against the > "LOCKDOWN" path twice. That way hopefully the > socket will be > authenticated in time for the 2nd request. > > (Be sure to read off the full reply of the first > request before sending > the second one). > > MultiThreadedHttpConnectionManager connectionManager > = new MultiThreadedHttpConnectionManager(); > HttpConnectionManagerParams params = > connectionManager.getParams(); > params.setDefaultMaxConnectionsPerHost( 1 ); > params.setMaxTotalConnections( 1 ); > HttpClient client = new > HttpClient(connectionManager); > > So do the GET or POST request you had in mind a > first time to try and > get the ssl handshake to happen. Then do your real > GET or POST > afterwards. (Or maybe just start off with a HEAD > request the first > time.) > > Since the ConnectionManager is only holding a single > socket, hopefully > that socket will stay in use (and not get shutdown), > and become a > special "authenticated" socket! > > yours, > > Julius > > > > On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote: > > Julius: > > > > Thanks so much for your time. The server that I > am > > connected to is "Netscape CMS 4.5" so I could not > find > > where to configure the WANT vs the NEED flag. > > > > So from what you are saying is that there is not > much > > else I can do with HttpClient and commons-ssl? I > know > > that openssl worked since I have tested manually > with > > that, should I look at PureTLS (which is a Java > > wrapper for openssl)? > > > > what is your advice? Where do I go from here? > > > > thanks again, > > JT > > > > --- Julius Davies wrote: > > > > > ps. If you can get your server to set itself > into > > > WANT-CLIENT-AUTH mode > > > from the very beginning, things might work > better. > > > WANT-CLIENT-AUTH > > > mode still allows sockets that don't have client > > > certificates to be > > > established. > > > > > > Only NEED-CLIENT-AUTH mode disallows socket > creation > > > in those cases. > > > > > > So if your server was setup with > WANT-CLIENT-AUTH > > > mode right from the > > > beginning, httpclient would be able to send the > > > client cert on all > > > requests, and not have to worry about this > situation > > > where a client cert > > > is asked for right in the middle of a request > (after > > > the GET or POST > > > line has been sent!). > > > > > > But I would still like to see what it takes to > get > > > commons-ssl and > > > httpclient to work flawlessly with the scenario > > > you've identified. > > > > > > > > > yours, > > > > > > Julius > > > > > > > > > On Fri, 2006-06-10 at 13:09 -0700, Julius Davies > > > wrote: > > > > Hi, James, > > > > > > > > Wow! A person can call the following in the > > > middle of a TCP/IP session: > > > > > > > > // This happens in the server: > > > > // SSLSocket "s" came from an > > > serverSocket.accept() call. > > > > s.setNeedClientAuth( true ); > > > > s.getSession().invalidate(); > > > > s.startHandshake(); > > > > > > > > I didn't know that. > > > > > > > > But commons-ssl didn't seem to mind at all. I > > > just needed to alter the > > > > test code a little to see that it worked. Add > > > this at the top: > > > > > > > > final SSLSocket[] socket = new SSLSocket[ 1 ]; > > > > > > > > Inside the "SSLWrapperFactory" anonymous inner > > > class, add this: > > > > > > > > socket[ 0 ] = s; > > > > > > > > After everything is done, take a look at the > > > client certs yet again: > > > > > > > > Certificate[] certs = socket[ 0 > > > ].getSession().getLocalCertificates(); > > > > if ( certs != null ) > > > > { > > > > System.out.println( "client certs:" ); > > > > for ( int i = 0; i < certs.length; i++ ) > > > > { > > > > X509Certificate c = (X509Certificate) > certs[ i > > > ]; > > > > System.out.println( Certificates.toString( > c ) > > > ); > > > > } > > > > } > > > > else > > > > { > > > > System.out.println( "client certs: null" ); > > > > } > > > > > > > > > > > > yours, > > > > > === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-user-help@jakarta.apache.org