Return-Path: Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: (qmail 18054 invoked from network); 2 Jun 2009 11:21:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Jun 2009 11:21:09 -0000 Received: (qmail 84413 invoked by uid 500); 2 Jun 2009 11:21:20 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 84344 invoked by uid 500); 2 Jun 2009 11:21:20 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 84334 invoked by uid 99); 2 Jun 2009 11:21:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jun 2009 11:21:20 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates 216.139.236.158 as permitted sender) Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jun 2009 11:21:09 +0000 Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MBS2y-0007ur-Fq for httpclient-users@hc.apache.org; Tue, 02 Jun 2009 04:20:48 -0700 Message-ID: <23830645.post@talk.nabble.com> Date: Tue, 2 Jun 2009 04:20:48 -0700 (PDT) From: phmccabe To: httpclient-users@hc.apache.org Subject: Re: using SSL in a development environment In-Reply-To: <23615152.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: phmccabe@googlemail.com References: <23615152.post@talk.nabble.com> X-Virus-Checked: Checked by ClamAV on apache.org I recently had the same issue, having to deal with self signed certificates. I am using Apache HTTP client 4 (Beta 2, I think), and the following solutions seems to be working in my preliminary tests. Please excuse the atrocious coding practices in the code below, I'm just trying to illustrate how to do this. public DefaultHttpClient useTrustingTrustManager(DefaultHttpClient httpClient) { try { // First create a trust manager that won't care. X509TrustManager trustManager = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Don't do anything. } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Don't do anything. } public X509Certificate[] getAcceptedIssuers() { // Don't do anything. return null; } }; // Now put the trust manager into an SSLContext. SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, new TrustManager[] { trustManager }, null); // Use the above SSLContext to create your socket factory // (I found trying to extend the factory a bit difficult due to a // call to createSocket with no arguments, a method which doesn't // exist anywhere I can find, but hey-ho). SSLSocketFactory sf = new SSLSocketFactory(sslcontext); sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); // If you want a thread safe client, use the ThreadSafeConManager, but // otherwise just grab the one from the current client, and get hold of its // schema registry. THIS IS THE KEY THING. ClientConnectionManager ccm = httpClient.getConnectionManager(); SchemeRegistry schemeRegistry = ccm.getSchemeRegistry(); // Register our new socket factory with the typical SSL port and the // correct protocol name. schemeRegistry.register(new Scheme("https", sf, 443)); // Finally, apply the ClientConnectionManager to the Http Client // or, as in this example, create a new one. return new DefaultHttpClient(ccm, httpClient.getParams()); } catch(Throwable t) { // AND NEVER EVER EVER DO THIS, IT IS LAZY AND ALMOST ALWAYS WRONG! t.printStackTrace(); return null; } } I hope this helps others out there looking for ways to deal with silly servers. Paul. realflash wrote: > > > Bill Higgins-2 wrote: >> >> Hi I'm working in a development environment where our servers use >> self-signed certificates. I want to use HttpClient 4 to connect to these >> servers and basically ignore any security errors that come back. I was >> hoping I could use org.apache.http.conn.ssl.SSLSocketFactory to do this >> by >> using SSLSocketFactory's ALLOW_ALL_HOSTNAME_VERIFIER verifier, but it >> failed >> with a javax.net.ssl.SSLPeerUnverifiedException with message "peer not >> authenticated". >> >> A colleague suggested that I need to create my own implementation of >> LayeredSocketFactory, e.g. "TrustingSSLSocketFactory", but I was hoping >> there was a way to get SSLSocketFactory to work for me, if I could >> configure >> it the right way. Here is the code I am currently using. Please let me >> know >> if there's something simple I can change to use SSLSocketFactory in my >> development environment with servers with self-signed certs. >> >> PS - I'm using HttpCore 4.0 Beta 2 and HttpClient 4.0 Alpha 4. >> > > For those who want to avoid the factory creation, Howard Abrams has > produced a neat solution to this problem by inserting a new security > provider that ignores cert problems. You just need to add two class files > to your project and call one method and bingo. You may also need to call > ALLOW_ALL_HOSTNAME_VERIFIER if the cert doesn't match the hostname. > > http://www.howardism.org/Technical/Java/SelfSignedCerts.html > -- View this message in context: http://www.nabble.com/using-SSL-in-a-development-environment-tp19001545p23830645.html Sent from the HttpClient-User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org