hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: SSLPeerUnverifiedException -- cannot get chain imported correctly
Date Tue, 20 Jan 2009 22:07:10 GMT
TomStrummer wrote:
> I've gone over those instructions and a dozen variants.  Like I said, I've
> imported the cert into a JKS keystore and use that in my SSLSocketFactory. 
> No dice.  
> There's no client authentication; it's just trying to authenticate the
> server against a trusted CA and I think I'm just having a problem properly
> importing a certificate _chain_ (not just a single certificate) into the
> keystore. 

Well, you do not need an entire chain.

Say, the client is configured to trust a certificate issued by a trusted 
CA, called 'trusted CA'. If the client receives the following 
certificate chain

'server cert' -> 'department cert' -> 'company cert' -> 'trusted CA'

the entire chain is trusted. Effectively you need only one certificate 
in the chain to trust the whole chain.

  I don't really want to create a custom trust manager as this more
> or less bypasses the SSL security.
> I've tried...
> - exporting the chain as a PEM file and importing into the keystore (I get
> only one the top certificate)
> - exporting the chain as a pkcs7 file - keytool says it's not an x.509
> certificate
> - exporting the individual certs as PEM or pkcs7 - they can be imported into
> a keystore but are not chained
> - exported via various different options that IE's certificate export wizard
> gives.  None of them seem to work.

To sum up: you need to import a certificate of the trusted CA into a 
keystore file and configure SSL context passing an instance of KeyStore 
generated from that file as a _truststore_. Pass null as a keystore 
parameter. That is it. Run your application with -Djavax.net.debug=all 
system property to see where exactly things get screwy.

Hope this helps


> olegk wrote:
>> The Javadocs of the SSLSocketFactory include instructions how to create 
>> a trust store given a trusted public certificate. I guess this should be 
>> sufficient:
>> http://hc.apache.org/httpcomponents-client/httpclient/apidocs/org/apache/http/conn/ssl/SSLSocketFactory.html
>> The worst case, one can set up an SSL context with a trust manager 
>> trusting any certificate, including invalid ones.

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message