hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: HTTPS Certification problem
Date Wed, 04 Jul 2007 11:46:01 GMT
On Mon, 2007-07-02 at 11:52 +0530, Dhanushka Amarakoon wrote:
> Hi
> 
> I did what you suggested but I am unable to still obtain the result that I
> require.
> 
> Can anyone please tell me a way to dynamically change the truststore used.
> It doesn't have to be something related to AuthSSLProtocolSocketFactory. Any
> way to do it would be fine. 
> 
> I need to
> 1. Execute a HTTP get command
> 2. Check the truststore for any valid certificates.
> 3. If the truststore doesn't have the valid certificate obtain it from the
> end server and store it in the truststore.
> 4. reexecute the HTTP get command. Have to make sure that the truststore
> used is the newly updated truststore.
> 
> I am able to do steps 1-3 successfully.
> But I am not able to reexecute the HTTP command again successfully as it
> still only obtains certificates from the old truststore not the new updated
> one.
> 

If the trust store changes, you need to make sure the SSLContext
instance used to create SSL sockets gets reinitialized (recreated using
the new trust store).

Hope this helps

Oleg 

> BTW
> Thanks go out to Roland for helping me out.
> 
> Reguards
> 
> Dhanushka Amrakoon
> 
> 
> -----Original Message-----
> From: Roland Weber [mailto:ossfwot@dubioso.net] 
> Sent: Friday, June 29, 2007 10:49 PM
> To: HttpClient User Discussion
> Subject: Re: HTTPS Certification problem
> 
> Hello Dhanushka,
> 
> >     while (retry <= retryCount) {
> > 
> >       try {
> > 
> >         Protocol authhttps = new Protocol("https",
> >                                           new
> AuthSSLProtocolSocketFactory(
> >             new URL(
> >  
> > "file:E:\\Dhanushka\\Connectors\\AptiloConnector_new\\my.keyStore"),
> 
> That is a really strange format for a URL. I would have used
> file:///e:/Dhanushka/Connectors/AptiloConnector_new/my.keyStore
> Anyway, if it works.
> 
> >             "112233",
> >             new URL(
> >  
> > "file:E:\\Dhanushka\\Connectors\\AptiloConnector_new\\my.keyStore"),
> >             "112233"), 443);
> > //        httpclient.getHostConfiguration().setHost("localhost", 443,
> > authhttps);
> >         Protocol.registerProtocol("https", authhttps);
> 
> It is a rather bad idea to register the protocol in a loop.
> And it may not work as expected, depending on how the
> AuthSSLProtocolSocketFactory relates to SSL contexts.
> I can't tell you details, because I don't know them.
> But this _feels_ all wrong.
> Use one single AuthSSLProtocolSocketFactory. Modify the
> code of that factory so you can update the key store at
> runtime. Test and debug until you are sure that the new
> key store content is picked up at runtime.
> Then verify that the initial key store is read from the
> file referenced above. Afterwards, verify that updates
> to the key store are written to that very file. And make
> sure that the writing succeeds and is not prevented by
> some spurious file locks because a file is not properly
> closed or some such interference.
> 
> good luck,
>   Roland
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message