hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <http-as...@dubioso.net>
Subject Re: Certificateless SSL
Date Fri, 01 Dec 2006 18:23:06 GMT
Hello Jake,

> Maybe I'm misunderstanding the exception I'm getting. IE is normally
> used to access the 3rd party application, and it does NOT require us to
> install or even select a certificate. It DOES prompt us to accept THEIR
> certificate. We certainly don't have to generate a certificate and
> install it in a keystore for every client.

There are different kinds of certificates that can be presented and
verified. So-called "server certificates" are used on the client to
verify that the server is what it claims to be. "Client certificates"
are used on the server to verify that the client is what it claims to
be. And then there are certificates used to verify other certificates.
Given all these different certificates, your subject "certificateless
SSL" is really an oxymoron :-)
If IE does not require you to install a certificate, then most likely
your problem is not a missing client certificate.

> The exception I'm getting in HttpClient is:
> 
> [INFO] HttpMethodDirector - I/O exception
> (javax.net.ssl.SSLHandshakeException) caught when processing request:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target

A certificate path or chain is a series of certificate to verify other
certificates. The server sends a certificate, the client checks it with
another certificate. Then the client checks that other certificate with
yet another certificate. And so on, until it reaches a "root" certificate
which it knows can be trusted. IE ships with a set of root certificates,
and each JDK also ships with a set of root certificates, but those sets
can be different. I suspect that the certificate store used for your
SSL connections is missing a root certificate that IE has.

> From what I saw in the mailing list archives, and from a Google search,
> that meant that I didn't have a certificate installed in JSSE.

Yes. And it's a "root certificate" you are missing, as opposed to a
"client certificate". That's where you got Julius on a wrong track.

Have you read our SSL guide?
http://jakarta.apache.org/commons/httpclient/sslguide.html

Towards the end, you'll find a link to the EasySSLProtocolSocketFactory.
That is a class which does _not_ build a certificate chain in order to
verify the certificate. Rather, it simply trusts the server certificate,
which seems to be what you want to do.

> Here is what I get when running the ping utility:
> [...]

I'll leave this part to Julius :-)

hope that helps,
  Roland


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message