hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Problem connecting to a site with an invalid (expired) security certificate
Date Wed, 11 Mar 2009 17:14:17 GMT
Villemos, Gert wrote:
> I'm using the HTTPclient to connect to a site with two levels of
> security;
> 
>  
> 
> 1. First a basic authentication.
> 
> 2. Then a form login (see HTML below) ... leading to a https site.
> 
>  
> 
> I think I'm performing the authentication and submission of the login
> form correctly (see source code below), but get an exception
> 'javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target' (see details below)
> when reading the Login URL https site.
> 
>  
> 
> I have read and followed the (excellent) tutorial on how to trouble
> shoot and have enabled the wire logging to see the details. Didnt get
> that much smarter though...
> 
>  
> 
> I have also turned on the '-Djavax.net.debug=ssl,handshake' to see the
> certification details (see details below).
> 
>  
> 
> I have tried to login to the site manually using IE. The authentication
> and login form works, but I get a certification error. Looking at the
> details in the browser I can see that the reason is that the certificate
> has expired in February this year. The details of the certificate are;
> Version=V1, SerialNumber=02, SegnatureAlgorithm=md5RSA,
> ValidFrom=Wednesday, 20. February 2008 2008 11:55:58, ValidTo=Thursday
> 19. February 2009 11:55:58, PublicKey=RSA (1024 Bits),
> ThumbprintAlgorithm=sha1. This seems to match the exception.
> 
>  
> 
> I have tried to set the Java.security.provider as described in
> http://hc.apache.org/httpclient-3.x/authentication.html#Known_limitation
> s_and_problems (see source code example below) but this didnt solve any
> problem.
> 
>  
> 
> My questions;
> 
> 1. Am I doing anything wrong or is this purely due to the certification
> error?
> 

Either way you certainly need to address SSL/TLS transport issues first.


> 2. If its the certification error; Can I in any way programatically
> handle the certification error, i.e. basically ignore it?
> 

Yes, you can. You will have to implement a custom TrustManager and make 
it ignore expired certificates or make it trust that particular expired 
certificate. You can take the EasySSLProtocolSocketFactory as a starting 
point and make it even 'easier':

http://hc.apache.org/httpclient-3.x/sslguide.html
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup
http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup

Hope this helps

Oleg

> 3. If not; Can I configure my way out of the problem?
> 
>  
> 
> I'm no security expert, so g easy on me on the answers... cheers.
> 
>  
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message