hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject Re: Certificate Based Client Authentication
Date Sun, 11 Mar 2007 17:10:42 GMT
Hi, William,

The technique I showed in my previous email doesn't disable
server-side auth - it just ignores the server's certificate... or in
other words, trusts any certificate the server supplies.

The EasyX509TrustManager example in the "contrib" section of the
HttpClient SVN repository is a good low-level example of this
technique.  See how it implements its own X509TrustManager:

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java

But this X509TrustManager is very trusting!  It trusts everything!

[simplified...  the real one does check expiry]
-------------------------
public void checkServerTrusted(X509Certificate[] certificates,String authType) {
  // do nothing - so all server certificates are trusted!
}
-------------------------

yours,

Julius



On 3/10/07, William Cai <caiwl@acm.org> wrote:
>
> You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since
you choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt
if there is such an option available. Please correct me if I'm wrong.
>
> Thanks,
> William
>
> -----Original Message-----
> From: Lalit Sahoo [mailto:lalit.s@sonata-software.com]
> Sent: Friday, March 09, 2007 2:36 AM
> To: HttpClient User Discussion
> Subject: RE: Certificate Based Client Authentication
>
> Hi Julius,
>
> Thanks for the help!
>
> Actually I am using Weblogic 8.1.
>
> I have configured weblogic to use two-way SSL.
>
> Do I need to do anything on server side to stop server authentication?
>
> Regards,
> Lalit
>
> ________________________________
>
> From: Julius Davies [mailto:juliusdavies@gmail.com]
> Sent: Thu 3/8/2007 9:58 PM
> To: HttpClient User Discussion
> Subject: Re: Certificate Based Client Authentication
>
>
>
> Hi, Lalit,
>
> If you really, really, really are sure that you don't want to
> "authenticate" the server (not recommended!) you can use
> TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:
>
> ------------------------------------------------------
> char[] pwd = "secret".toCharArray();
> KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
>
> HttpSecureProtocol sf = new HttpSecureProtocol();
> sf.setKeyMaterial( km );
>
> // Trust ANY server!  NOT RECOMMENDED!
> sf.setTrustMaterial( TrustMaterial.TRUST_ALL );
>
> ProtocolSocketFactory psf = sf;
> Protocol specialHttps = new Protocol("https-special", psf, 443);
> Protocol.registerProtocol("https-special", specialHttps);
>
> // From this point on, HttpClient will use the client cert specified
> // for all URL's of the form "https-special://".
> ------------------------------------------------------
>
>
> To do this just using the "HttpClient" contrib code is not possible.
> Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
> $JAVA_HOME/jre/lib/security/cacerts as the "truststore":
>
> new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
>
> What you're trying to do is essentially a hybrid of
> "EasySSLProtocolSocketFactory" (trusting any server), and
> "AuthSSLProtocolSocketFactory" (providing a client certificate).
>
> If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
> code up the hybrid yourself using the "contrib" code to guide you.
>
>
> yours,
>
> Julius
>
>
>
> On 3/8/07, Lalit Sahoo <lalit.s@sonata-software.com> wrote:
> > Hi Julius,
> >
> > Thanks for the response!
> >
> > You have adviced me to do in this way:
> >
> > URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> > = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> > "secret";
> > String trust_pwd = "changeit";
> >
> > AuthSSLProtocolSocketFactory sf;
> > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> > trust_pwd );
> >
> >
> > Supoose I don't want to authenticate server then I should use as below:
> >
> >
> > AuthSSLProtocolSocketFactory sf;
> > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
> >
> > But I am getting SSL handshake error.
> >
> > Could you please help?
> >
> > Regards,
> > Lalit
> >
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message