hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TomStrummer <tomstrum...@gmail.com>
Subject Re: SSLPeerUnverifiedException -- cannot get chain imported correctly
Date Wed, 21 Jan 2009 11:27:47 GMT

olegk wrote:
> Well, you do not need an entire chain.
> ...Effectively you need only one certificate in the chain to trust the
> whole chain.
You know, that's how I _thought_ it was supposed to work in the first

olegk wrote:
> To sum up: you need to import a certificate of the trusted CA into a 
> keystore file and configure SSL context passing an instance of KeyStore 
> generated from that file as a _truststore_. Pass null as a keystore 
> parameter. That is it. 

Oh shoot!  I had a fundamental misunderstanding -- I didn't realize there
was a difference between a keystore used for client SSL certificates, and a
truststore used for server certificate authentication.  When I used the
correct SSLSocketFactory constructor, it worked after adding just the CA
root to my truststore file.  

Thanks Oleg for your patience while explaining this to me.  You're the man.
View this message in context: http://www.nabble.com/SSLPeerUnverifiedException----cannot-get-chain-imported-correctly-tp21564943p21581299.html
Sent from the HttpClient-User mailing list archive at Nabble.com.

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message