hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravichan <ravichan....@gmail.com>
Subject Re: SSL Site
Date Tue, 18 Mar 2008 05:19:33 GMT

Hi .. I followed your steps .

I have downloaded the certificate & and stored as DER in local.
Then I tried to execute the following command.

keytool -keystore "C:\Program Files\Java\jdk1.6.0\jre\lib\security\cacerts"
 -import -alias mysecurestore -file C:\temp\certfile.cer -trustcacerts

Its asking for a password. I am not sure , What password to supply.

Can you please suggest me.



olegk wrote:
> 
> On Wed, 2007-05-02 at 22:22 -0700, RossW wrote: 
>> ok cool...i fixed the problem.  So first of all i had to connect through
>> proxy first and then secondly i had to add the certificate to the
>> keystore
>> and then add the keystore as a property to code..now working fine.  so
>> here
>> is the code which made all the difference.
>> 
>> first i had to export the cert from the site...once logged in i just
>> double
>> clicked on the lock icon in IE (on the status bar down the bottom of IE
>> when
>> logged into the secure site)and then found and copy to file button.  I
>> saved
>> it as a DER encrypted file to say c:\temp\certfile.cer and then using
>> keytool as follows (keytool can be found in the JDK bin folder)
>> 
>> keytool -keystore "C:\Program
>> Files\Java\jdk1.6.0\jre\lib\security\cacerts"
>> -import -alias mysecurestore -file C:\temp\certfile.cer -trustcacerts
>> 
>> System.setProperty("javax.net.ssl.trustStore", "C:\\Program
>> Files\\Java\\jdk1.6.0\\jre\\lib\\security\\cacerts"); 
>> 
>> and now is working like a charm.  I hope this comes in handy for someone
>> else in future cuz this one really sucked.
>> 
> 
> Ross
> 
> You may consider using AuthSSLProtocolSocketFactory if you want to avoid
> having to modify the cacerts file 
> 
> http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/
> http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
> 
> For details see
> 
> http://jakarta.apache.org/commons/httpclient/sslguide.html
> 
> Oleg
> 
>> 
>> RossW wrote:
>> > 
>> > ok now i am getting this...the change i made which was causing the prev
>> > error was to connect via proxy first.  Funny thing was that i was told
>> > without any doubt that it was not proxied. Anyways now i am getting SSL
>> > cert related errors
>> > 
>> > javax.net.ssl.SSLHandshakeException:
>> > sun.security.validator.ValidatorException: PKIX path building failed:
>> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find
>> > valid certification path to requested target
>> > 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
>> > 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
>> > 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> > 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> > 	at
>> > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> > Source)
>> > 	at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> > Source)
>> > 	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>> > 	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> Source)
>> > 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> Source)
>> > 	at
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> > Source)
>> > 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown
>> Source)
>> > 	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
>> > 	at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
>> > 	at java.io.BufferedOutputStream.flush(Unknown Source)
>> > 	at
>> >
>> org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(Unknown
>> > Source)
>> > 	at org.apache.commons.httpclient.HttpMethodBase.writeRequest(Unknown
>> > Source)
>> > 	at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown
>> Source)
>> > 	at
>> >
>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown
>> > Source)
>> > 	at
>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown
>> > Source)
>> > 	at org.apache.commons.httpclient.HttpClient.executeMethod(Unknown
>> Source)
>> > 	at org.apache.commons.httpclient.HttpClient.executeMethod(Unknown
>> Source)
>> > 	at chester_japp.Chester_queue.record_proc(Chester_queue.java:129)
>> > 	at chester_japp.Chester_queue.run(Chester_queue.java:382)
>> > 	at java.lang.Thread.run(Unknown Source)
>> > Caused by: sun.security.validator.ValidatorException: PKIX path
>> building
>> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable
>> > to find valid certification path to requested target
>> > 	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>> > 	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>> > 	at sun.security.validator.Validator.validate(Unknown Source)
>> > 	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
>> > Source)
>> > 	at
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> > 	at
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> > 	... 20 more
>> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> > unable to find valid certification path to requested target
>> > 	at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>> > Source)
>> > 	at java.security.cert.CertPathBuilder.build(Unknown Source)
>> > 	... 26 more
>> > 
>> > olegk wrote:
>> >> 
>> >> On Tue, 2007-04-24 at 04:22 -0700, RossW wrote:
>> >>>
>> >>> > 
>> >>> > Ross,
>> >>> > 
>> >>> > This appears to be some kind of connectivity problem. Is this an
>> >>> > intranet or internet site? Can you establish a connection to that
>> site
>> >>> > using a browser? 
>> >>> > 
>> >>> > You do not explicitly set a connect timeout value, so JRE the
>> default
>> >>> > one applies. Try explicitly setting the connect timeout value to
>> >>> > something like 10 min and see what happens. 
>> >>> > 
>> >>> > Oleg
>> >>> > 
>> >> 
>> >> ...
>> >> 
>> >>> 
>> >>> Hey thanks for the reply.  It is an intranet site but i am able to
>> >>> access it
>> >>> ok when using my browser and the proxy server does not affect this
>> site. 
>> >>> I
>> >>> think i have tried setting the timeout for both the connection and
>> the
>> >>> socket to unlim and it was still failing.  I suspect somehow it is
>> >>> related
>> >>> to the SSL but found it odd that i can connect to some SSL sites.  A
>> >>> friend
>> >>> of mine wrote a similar program that uses HTTPCLIENT (the one written
>> by
>> >>> a
>> >>> chinese group cant recall there name) and the code is similar and it
>> >>> works
>> >>> fine.  I want to the apache one because i believe it will have more
>> >>> ongoing
>> >>> support.
>> >>> 
>> >>> Thanks.
>> >> 
>> >> Please note that for some JREs infinite connect timeout (zero value)
>> >> effectively means the _default_ value, which may well be a finite
>> >> number. 
>> >> 
>> >> Are you absolutely sure the browser is hitting the site directly and
>> not
>> >> through a proxy?
>> >> 
>> >> Anyways, if this is an internal site, internal infrastructure staff
>> are
>> >> your best friends. They should be able to tell why connections time
>> out.
>> >> 
>> >> Oleg 
>> >> 
>> >> 
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>> >> For additional commands, e-mail:
>> httpclient-user-help@jakarta.apache.org
>> >> 
>> >> 
>> >> 
>> > 
>> > 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/SSL-Site-tp9803919p16114444.html
Sent from the HttpClient-User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message