hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TomStrummer <tomstrum...@gmail.com>
Subject Re: SSLPeerUnverifiedException -- cannot get chain imported correctly
Date Wed, 21 Jan 2009 11:27:47 GMT


olegk wrote:
> 
> Well, you do not need an entire chain.
> 
> ...Effectively you need only one certificate in the chain to trust the
> whole chain.
> 
You know, that's how I _thought_ it was supposed to work in the first
place...


olegk wrote:
> 
> To sum up: you need to import a certificate of the trusted CA into a 
> keystore file and configure SSL context passing an instance of KeyStore 
> generated from that file as a _truststore_. Pass null as a keystore 
> parameter. That is it. 
> 

Oh shoot!  I had a fundamental misunderstanding -- I didn't realize there
was a difference between a keystore used for client SSL certificates, and a
truststore used for server certificate authentication.  When I used the
correct SSLSocketFactory constructor, it worked after adding just the CA
root to my truststore file.  

Thanks Oleg for your patience while explaining this to me.  You're the man.
-- 
View this message in context: http://www.nabble.com/SSLPeerUnverifiedException----cannot-get-chain-imported-correctly-tp21564943p21581299.html
Sent from the HttpClient-User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message