hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William Cai" <w...@xwarelabs.com>
Subject RE: Certificate Based Client Authentication
Date Sat, 10 Mar 2007 15:29:40 GMT
You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since you
choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt if
there is such an option available. Please correct me if I'm wrong.

Thanks,
William

-----Original Message-----
From: Lalit Sahoo [mailto:lalit.s@sonata-software.com] 
Sent: Friday, March 09, 2007 2:36 AM
To: HttpClient User Discussion
Subject: RE: Certificate Based Client Authentication

Hi Julius,
 
Thanks for the help!
 
Actually I am using Weblogic 8.1.
 
I have configured weblogic to use two-way SSL.
 
Do I need to do anything on server side to stop server authentication?
 
Regards,
Lalit

________________________________

From: Julius Davies [mailto:juliusdavies@gmail.com]
Sent: Thu 3/8/2007 9:58 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication



Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------


To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );


What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.


yours,

Julius



On 3/8/07, Lalit Sahoo <lalit.s@sonata-software.com> wrote:
> Hi Julius,
>
> Thanks for the response!
>
> You have adviced me to do in this way:
>
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
>
>
> Supoose I don't want to authenticate server then I should use as below:
>
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
> But I am getting SSL handshake error.
>
> Could you please help?
>
> Regards,
> Lalit
>

--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message