hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lalit Sahoo" <lali...@sonata-software.com>
Subject RE: Certificate Based Client Authentication
Date Thu, 08 Mar 2007 18:36:07 GMT
Hi Julius,
Thanks for the help!
Actually I am using Weblogic 8.1.
I have configured weblogic to use two-way SSL.
Do I need to do anything on server side to stop server authentication?


From: Julius Davies [mailto:juliusdavies@gmail.com]
Sent: Thu 3/8/2007 9:58 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication

Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".

To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );

What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.



On 3/8/07, Lalit Sahoo <lalit.s@sonata-software.com> wrote:
> Hi Julius,
> Thanks for the response!
> You have adviced me to do in this way:
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
> Supoose I don't want to authenticate server then I should use as below:
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
> But I am getting SSL handshake error.
> Could you please help?
> Regards,
> Lalit


Julius Davies

To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

View raw message