Return-Path: Delivered-To: apmail-jakarta-httpclient-user-archive@www.apache.org Received: (qmail 47688 invoked from network); 8 Mar 2007 15:35:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Mar 2007 15:35:13 -0000 Received: (qmail 57370 invoked by uid 500); 8 Mar 2007 15:35:22 -0000 Delivered-To: apmail-jakarta-httpclient-user-archive@jakarta.apache.org Received: (qmail 57113 invoked by uid 500); 8 Mar 2007 15:35:21 -0000 Mailing-List: contact httpclient-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: "HttpClient User Discussion" Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-user@jakarta.apache.org Received: (qmail 57102 invoked by uid 99); 8 Mar 2007 15:35:21 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 07:35:21 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [203.200.22.222] (HELO southendmsg.SONATA.LOCAL) (203.200.22.222) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 07:35:10 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Certificate Based Client Authentication Date: Thu, 8 Mar 2007 21:05:41 +0530 Message-ID: In-Reply-To: <598ad5b50703080727j49d11912mac823125c23967c7@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Certificate Based Client Authentication Thread-Index: AcdhlqGC1/nGpIfKTL6szIRzA97uJQAAH0HA References: <598ad5b50703080727j49d11912mac823125c23967c7@mail.gmail.com> From: "Lalit Sahoo" To: "HttpClient User Discussion" X-Virus-Checked: Checked by ClamAV on apache.org Hi Julius, Thanks for the response! You have adviced me to do in this way: URL keystore =3D new URL( "file:///path/to/keystore.jks" ); URL = truststore =3D new URL( "file:///path/to/truststore.jks" ); String key_pwd =3D "secret"; String trust_pwd =3D "changeit"; =09 AuthSSLProtocolSocketFactory sf; sf =3D new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore, trust_pwd ); Supoose I don't want to authenticate server then I should use as below: AuthSSLProtocolSocketFactory sf; sf =3D new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null = ); But I am getting SSL handshake error. Could you please help? Regards, Lalit -----Original Message----- From: Julius Davies [mailto:juliusdavies@gmail.com]=20 Sent: Thursday, March 08, 2007 8:57 PM To: HttpClient User Discussion Subject: Re: Certificate Based Client Authentication Hi, Lalit, Consider downloading "not-yet-commons-ssl-0.3.7.jar" from here: http://juliusdavies.ca/commons-ssl/download.html With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this: ------------------------------------------------------ char[] pwd =3D "secret".toCharArray(); KeyMaterial km =3D new KeyMaterial( "/path/to/client_cert.p12", pwd ); TrustMaterial tm =3D new TrustMaterial( "/path/to/server_cert.pem" ); HttpSecureProtocol sf =3D new HttpSecureProtocol(); sf.setKeyMaterial( km ); sf.addTrustMaterial( tm ); =09 // Alternatively, if you want to disable Java's standard "cacerts", you // can use setTrustMaterial() instead of addTrustMaterial(): // sf.setTrustMaterial( tm ); =09 ProtocolSocketFactory psf =3D sf; Protocol specialHttps =3D new Protocol("https-special", psf, 443); Protocol.registerProtocol("https-special", specialHttps); // From this point on, HttpClient will use the client cert specified // for all URL's of the form "https-special://". ------------------------------------------------------ If you don't have the server's X509 certificate on hand, you can download the certificate straight from the server by using the "not-yet-commons-ssl" Ping utility, documented here: http://juliusdavies.ca/commons-ssl/utilities.html However, be aware that acquiring and trusting a certificate in this way is not secure, since someone could impersonate the server in that one moment. It's better to acquire the server certificate "out-of-band" through the mail or encrypted zip file or something like that. If you must acquire the certificate using the "Ping" utility, at the very least call the server's administrator and verify the fingerprint of the certificate you downloaded! * * * The rest of this email explains how to do things without "not-yet-commons-ssl-0.3.7". It's possible to do what you're doing without "not-yet-commons-ssl-0.3.7.jar", and just using the contrib AuthSSLProtocolSocketFactory alone. If you want to do things that way, create a special "TrustStore" JKS file and import the server's certificate into it like so: ------------------------------------------------------ keytool -import -file x509.pem -keystore my_new_truststore.jks ------------------------------------------------------ The "x509.pem" file should look like this, but with several lines of base64 - not just those two lines I've put in this example. -----BEGIN CERTIFICATE----- MIIGADCCA+gCCQDyLXt3uNXa9TANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl -----END CERTIFICATE----- Keytool is a bit picky and might get upset if the PEM file contains ANYTHING before or after the "BEGIN" and "END" lines, including whitespace. Make sure there are no extra line-feeds or carriage returns before and after the "BEGIN" and "END". Once you have both the "keystore" and "truststore" ready (both are java keystore files), you can do this: ------------------------------------------------------ URL keystore =3D new URL( "file:///path/to/keystore.jks" ); URL truststore =3D new URL( "file:///path/to/truststore.jks" ); String key_pwd =3D "secret"; String trust_pwd =3D "changeit"; =09 AuthSSLProtocolSocketFactory sf; sf =3D new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore, trust_pwd ); ------------------------------------------------------ If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12) after exporting from a browser, you can use the KeyStoreBuilder utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java Keystore" format on the command line. The original AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal with PKCS12. java -cp not-yet-commons-ssl-0.3.7.jar org.apache.commons.ssl.KeyStoreBuilder Good luck! yours, Julius On 3/8/07, Roland Weber wrote: > Hello Lalit, > > Julius Davis has written some detailed mails about SSL in the last months. > You may have to search the developer list as well as the user list. > > best regards, > Roland > > > --=20 yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-user-help@jakarta.apache.org