hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: commons-ssl-0.3.4 released
Date Mon, 27 Nov 2006 03:28:50 GMT
Hi, Xiaofeng,

Sorry.  Commons-SSL doesn't actually implement SSL.  That's left to
the underlying JSSE provider.  Commons-SSL sits on top of the provider
and tries to make common tasks easier.  I like to think of this
library as a "HARD-to-EASY" adapter.

It takes something that's hard - for example, turning off certificate
expiry checking requires about a hundred lines of code - and makes it
easy:

socketFactory.setCheckExpiry( false );


Regarding your question, looks like Sun Java 6 supports the following ciphers:

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA


You may have some luck with Mozilla's "JSS" library:

http://www.mozilla.org/projects/security/pki/jss/

But it looks pretty daunting to me!


yours,

Julius

http://juliusdavies.ca/


ps.  here's the 100 lines (okay, more like 70 lines):

String javaHome = System.getProperty( "java.home" );
String pathToCacerts = javaHome + "/lib/security/cacerts";
FileInputStream in = new FileInputStream( pathToCacerts );
KeyStore ks = KeyStore.getInstance( "jks" );
ks.load( in, null );
String alg = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance( alg );
tmf.init( ks );
TrustManager[] trustManagers = tmf.getTrustManagers();
for ( int i = 0; i < trustManagers.length; i++ )
{
  final X509TrustManager tm = (X509TrustManager) trustManagers[ i ];
  trustManagers[ i ] = new TrustManager()
  {
    public void checkClientTrusted( X509Certificate[] chain, String authType )
       throws CertificateException
    {
        // we're only turning of expiry checking for server certs in
this example.
        tm.checkClientTrusted( chain, authType );
    }

    public void checkServerTrusted( X509Certificate[] chain, String authType )
       throws CertificateException
    {
      CertificateException ce = null;
      try
      {
        tm.checkServerTrusted( chain, authType );
      }
      catch ( CertificateException e )
      {
        ce = e;
      }
      if ( ce != null )
      {
        Throwable root = getRootThrowable( checkException );
        boolean expiryProblem = root instanceof CertificateExpiredException;
        if ( expiryProblem )
        {
          // not a problem - we've turned expiry checking off!
        }
        else
        {
          throw checkException;
        }
      }
    }

    private Throwable getRootThrowable( Throwable t )
    {
      if ( t == null )
      {
        return t;
      }
      Throwable cause = t.getCause();
      while ( cause != null && !t.equals( cause ) )
      {
        t = cause;
        cause = t.getCause();
      }
      return t;
    }
  };
}

SSLContext sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( null, trustManagers, null );

// Finally!  A SocketFactory that doesn't check expiry of the server's cert.
// (It does check everything else).   (Except CRLs).   ;-)
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
		


On 11/26/06, Xiaofeng Li <xiaofeng@nortel.com> wrote:
> Does this SSL supports the cipher 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA'?
>
> Thanks
>
> -----Original Message-----
> From: Julius Davies [mailto:juliusdavies@gmail.com]
> Sent: Saturday, November 25, 2006 7:13 PM
> To: httpcomponents-dev@jakarta.apache.org; HttpClient User Discussion
> Subject: commons-ssl-0.3.4 released
>
>
> Hi,
>
> I've just released commons-ssl-0.3.4.
>
> http://juliusdavies.ca/commons-ssl/
>
>
> Three changes since 0.3.3:
>
> #1.
> ==================================
> ssl.setCheckExpiry( false ) now works!
> ssl.setCheckExpiry( true ) now has an effect with Java 1.3.  (Java 1.4,
> 5, 6 all properly checked certificate expiry anyway, but it looks like
> 1.3 forgot to.)
>
> #2.
> ==================================
> The "CRL pass/fail SHA1 fingerprint cache" only discards the
> certificates which PASSED the check every 24 hours now.  Certificates
> which failed the check will keep their 20 byte SHA1 fingerprint in the
> cache forever (or until the next JVM restart).
>
>
> #3.
> ==================================
> Looks like TrustMaterial.TRUST_ALL stopped working recently on Java 5
> and 6.  Fixed.
>
>
> Aside from these three code changes, I also updated the documentation.
> The "downloads" page includes a "Roadmap".  The "main" page thanks Oleg
> for his original AuthSSLProtocolSocketFactory.java on which this is all
> based.
>
>
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message