hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jake C" <buddhabu...@hotmail.com>
Subject Re: Certificateless SSL
Date Fri, 01 Dec 2006 19:50:33 GMT
I had seen that, but at the time I didn't realize that a self-signed cert 
could have been my problem. However, I'm sure it is. We are currently 
running against a test server, which I'm sure has a self-signed cert. Our 
production server will be running under a Verisign cert.

I'll give it a try right now. Do you think that this mean that I most likely 
won't have this issue at production? It would be nice to only have to use 
the EasySSL* classes during testing.

>From: Roland Weber <http-async@dubioso.net>
>Reply-To: "HttpClient User Discussion" <httpclient-user@jakarta.apache.org>
>To: HttpClient User Discussion <httpclient-user@jakarta.apache.org>
>Subject: Re: Certificateless SSL
>Date: Fri, 01 Dec 2006 19:23:06 +0100
>Hello Jake,
> > Maybe I'm misunderstanding the exception I'm getting. IE is normally
> > used to access the 3rd party application, and it does NOT require us to
> > install or even select a certificate. It DOES prompt us to accept THEIR
> > certificate. We certainly don't have to generate a certificate and
> > install it in a keystore for every client.
>There are different kinds of certificates that can be presented and
>verified. So-called "server certificates" are used on the client to
>verify that the server is what it claims to be. "Client certificates"
>are used on the server to verify that the client is what it claims to
>be. And then there are certificates used to verify other certificates.
>Given all these different certificates, your subject "certificateless
>SSL" is really an oxymoron :-)
>If IE does not require you to install a certificate, then most likely
>your problem is not a missing client certificate.
> > The exception I'm getting in HttpClient is:
> >
> > [INFO] HttpMethodDirector - I/O exception
> > (javax.net.ssl.SSLHandshakeException) caught when processing request:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
>A certificate path or chain is a series of certificate to verify other
>certificates. The server sends a certificate, the client checks it with
>another certificate. Then the client checks that other certificate with
>yet another certificate. And so on, until it reaches a "root" certificate
>which it knows can be trusted. IE ships with a set of root certificates,
>and each JDK also ships with a set of root certificates, but those sets
>can be different. I suspect that the certificate store used for your
>SSL connections is missing a root certificate that IE has.
> > From what I saw in the mailing list archives, and from a Google search,
> > that meant that I didn't have a certificate installed in JSSE.
>Yes. And it's a "root certificate" you are missing, as opposed to a
>"client certificate". That's where you got Julius on a wrong track.
>Have you read our SSL guide?
>Towards the end, you'll find a link to the EasySSLProtocolSocketFactory.
>That is a class which does _not_ build a certificate chain in order to
>verify the certificate. Rather, it simply trusts the server certificate,
>which seems to be what you want to do.
> > Here is what I get when running the ping utility:
> > [...]
>I'll leave this part to Julius :-)
>hope that helps,
>   Roland
>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Share your latest news with your friends with the Windows Live Spaces 
friends module. 

To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

View raw message