hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: using SSL in a development environment
Date Fri, 15 Aug 2008 18:23:44 GMT
On Fri, 2008-08-15 at 12:21 -0400, Bill Higgins wrote:
> Hi I'm working in a development environment where our servers use
> self-signed certificates. I want to use HttpClient 4 to connect to these
> servers and basically ignore any security errors that come back. I was
> hoping I could use org.apache.http.conn.ssl.SSLSocketFactory to do this by
> using SSLSocketFactory's ALLOW_ALL_HOSTNAME_VERIFIER verifier, but it failed
> with a javax.net.ssl.SSLPeerUnverifiedException with message "peer not
> authenticated".
> 
> A colleague suggested that I need to create my own implementation of
> LayeredSocketFactory, e.g. "TrustingSSLSocketFactory", but I was hoping
> there was a way to get SSLSocketFactory to work for me, if I could configure
> it the right way. 

Bill,

Please note the host name verification and SSL certificate trust are not
the same thing. The host name verification is an additional safeguard
one may want to execute in order to make sure the CN (common name) of
the certificate matches that of the target host.

If you want your application to trust some specific servers you should
create a trust store containing certificates of those servers and
initialize the SSLSocketFactory accordingly. If you want to trust _any_
self-signed certificate (something we do not want to encourage) there is
no way around creating a custom socket factory.

Hope this helps.

Oleg


> Here is the code I am currently using. Please let me know
> if there's something simple I can change to use SSLSocketFactory in my
> development environment with servers with self-signed certs.
> 
> PS - I'm using HttpCore 4.0 Beta 2 and HttpClient 4.0 Alpha 4.
> 
> public class ProxyHandler implements HttpRequestHandler {
> 
>     private final HttpClient httpClient;
>     private final HttpHost target;
> 
>     public ProxyHandler() {
>         HttpParams params = new BasicHttpParams();
>         HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
>         HttpProtocolParams.setContentCharset(params, "UTF-8");
>         HttpProtocolParams.setUseExpectContinue(params, true);
> 
>         SchemeRegistry schemeRegistry = new SchemeRegistry();
> 
>         try {
>             SSLSocketFactory socketFactory = new SSLSocketFactory(null);
> 
> socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
>             schemeRegistry.register(new Scheme("https", socketFactory,
> 9443));
>         } catch (Exception e) {
>             throw new RuntimeException(e);
>         }
> 
>         ClientConnectionManager ccm = new
> ThreadSafeClientConnManager(params, schemeRegistry);
>         httpClient = new DefaultHttpClient(ccm, params);
> 
>         target = new HttpHost("localhost", 9443, "https");
>     }
> 
>     public void handle(HttpRequest request, HttpResponse response,
>             HttpContext context) throws HttpException, IOException {
> 
>         HttpRequest proxyRequest = new BasicHttpRequest("GET",
> "/my/resource", HttpVersion.HTTP_1_1);
> 
>         HttpEntity proxyEntity = null;
>         BasicHttpEntity outEntity = new BasicHttpEntity();
>         try {
>             HttpResponse proxyResponse = httpClient.execute(target,
> proxyRequest);
>             proxyEntity = proxyResponse.getEntity();
>             outEntity.setContent(proxyEntity.getContent());
>         } finally {
>             if(proxyEntity != null) {
>                 proxyEntity.consumeContent();
>             }
>         }
>     }
> }


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message