hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arunkumar Dubagunta" <Adubagu...@1800FLOWERS.com>
Subject RE: how to treat the unknown certificate as trusted one
Date Wed, 06 Dec 2006 19:49:54 GMT

When I tried to send a request to a https URL in the local network using not-yet-commons-ssl.jar,
I'm getting the following error.

 Am I missing something?

Exception in thread "main" java.lang.NullPointerException
	at org.apache.commons.ssl.Java14.retrieveClientAuth(Java14.java:94)
	at org.apache.commons.ssl.JavaImpl.getPeerCertificates(JavaImpl.java:252)
	at org.apache.commons.ssl.Util.verifyHostName(Util.java:244)
	at org.apache.commons.ssl.SSL.doPostConnectSocketStuff(SSL.java:432)
	at org.apache.commons.ssl.SSL.createSocket(SSL.java:503)
	at org.apache.commons.ssl.SSLClient.createSocket(SSLClient.java:242)


Thanks,
Arun Kumar Dubagunta
> -----Original Message-----
> From:	Julius Davies [SMTP:juliusdavies@gmail.com]
> Sent:	Wednesday, December 06, 2006 10:44 AM
> To:	HttpClient User Discussion
> Subject:	Re: how to treat the unknown certificate as trusted one
> 
> Here's the fast answer:
> 
> Protocol myhttps = new Protocol("https",new EasySSLProtocolSocketFactory(),
> 443);
> Protocol.registerProtocol( "https", myhttps );
> 
> 
> I'm cutting & pasting an email I wrote 2 days ago to httpclient-user.
> 
> You have several options:
> 
> 1.  Import self-signed cert into Java's "cacerts" file.
> -------------------------------------------------------------------------
> You can use "openssl s_client" or "not-yet-commons-ssl.jar Ping" to
> download the self-signed certificate.  Cut & paste the Base64 PEM text
> into a separate file (be sure to include the ----BEGIN----- and
> -----END-----).  Try and import it into Java's "cacerts" file.  It's
> usually found here:
> 
> $JAVA_HOME/jre/lib/security/cacerts
> 
> Here's the command to import a Base64 PEM certificate into that file:
> 
> cd $JAVA_HOME/jre/lib/security
> $JAVA_HOME/bin/keytool -import -file [file.pem] -keystore cacerts
> 
> The password is usually "changeit" (unless you changed it?  ROTFL).
> 
> Personally, I don't really recommend this approach.  But it's good to
> know about.  If you ever upgrade your JVM or switch to JRockit or IBM,
> you're going to have to do this all over again.
> 
> 
> 2.  Use EasySSLSockeyProtocolFactory
> -------------------------------------------------------------------------
> http://jakarta.apache.org/commons/httpclient/sslguide.html
> 
> This is a great approach for a dev environment, but it's usually not
> appropriate for a production environment.
> 
> 
> 3.  Use AuthSSLSockeyProtocolFactory
> -------------------------------------------------------------------------
> Set the client JKS to null.  Set the trust JKS to a brand new JKS you
> created only containing the server's self-signed certificate.
> 
> 
> 4.  You can also try the ALPHA "not-yet-commons-ssl.jar"
> -------------------------------------------------------------------------
> I think this is an interesting approach:
> 
> http://juliusdavies.ca/commons-ssl/TrustExample.java.html
> 
> It's kind of a hybrid approach of #1 and #2.  Essentially equivalent
> to #3, but without the hassle of creating a JKS file.  (Java Keystore
> File).
> 
> -------------------------------------------------------------------------
> 
> Security note:  downloading the certificate directly from the SSL
> handshake using "openssl s_client" or "not-yet-commons-ssl.jar" is not
> safe.  In a dev environment it's okay.  But in a production
> environment it leaves you suspectible to the oft-cited
> man-in-the-middle.  It's safer than EasySSLSockeyProtocolFactory
> because you only download the certificate one time, whereas
> EasySSLSockeyProtocolFactory is always vulnerable, with every socket
> created.  But nonetheless you should try to acquire the self-signed
> certificate through a different medium, maybe email (with
> encryption?), fax, telephone, letter mail, usb-drive, etc.  Or if the
> self-signed cert is hosted on an properly signed "https" site, that's
> also okay (e.g. https://trustedsite.com/path/to/self-signed.pem).> 
> 
> 
> 
> 
> On 12/6/06, Arunkumar Dubagunta <Adubagunta@1800flowers.com> wrote:
> >
> >
> >
> > I need to make a call to an external URLs and post the data.
> >
> > Anybody has a solution for this.
> >
> > Any inputs will be greatly helpful. Thanks in advance.
> >
> > Thanks,
> > Arun Kumar Dubagunta
> >
> >
> > > -----Original Message-----
> > > From: Roland Weber [SMTP:ROLWEBER@de.ibm.com]
> > > Sent: Wednesday, December 06, 2006 1:48 AM
> > > To:   HttpClient User Discussion
> > > Subject:      Re: how to treat the unknown certificate as trusted one
> > >
> > > Hello,
> > >
> > > >    Protocol myhttps = new Protocol("https",new
> > > > EasySSLProtocolSocketFactory(), 443);
> > > >    httpClient.getHostConfiguration().setHost("xxx.xxx.com", 443,
> > > myhttps);
> > > >    int responseCode = httpClient.executeMethod(postMethod);
> > >
> > > This will only work if you are using _relative_ URLs like
> > > "/" or "/index.html". Register your protocol as the default
> > > handler for https, as described in the SSL guide.
> > >
> > > hope that helps,
> > >   Roland
> > >
> > >  << File: SMIME.txt >>
> >
> >
> >
> > -----------------------------------------
> > This e-mail, including attachments, may include confidential and/or
> > proprietary information, and may be used only by the person or
> > entity to which it is addressed. If the reader of this e-mail is
> > not the intended recipient or his or her authorized agent, the
> > reader is hereby notified that any dissemination, distribution or
> > copying of this e-mail is prohibited. If you have received this
> > e-mail in error, please notify the sender by replying to this
> > message and delete this e-mail immediately.
> >
> >
> 
> 
> -- 
> yours,
> 
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message