hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Trouble with TrustManager and TrustStrategy for self-signed-certificates
Date Mon, 13 Dec 2010 20:41:18 GMT
On Mon, 2010-12-13 at 09:23 +0100, Gerhard Sinne wrote:
> Hi all,
> I've asked something similar before, so apologies if you feel its doubled.
> 
> I have a https- Server that I need to connect to using HTTPS and digest 
> authentication. This works perfect with plain HTTP.
> 
> Now for SSL, I implemented a TrustManager with its methods as empty ones 
> and connected it to the SSLFactory. But the methods
> are not even called during the httpclient.execute() call.
> 
> Then I switched to TrustStrategy and connected this to the SSLFactory. 
> Again no way. The isTrusted()- method of TrustStrategy is not even called.
> 
> Instead both implementation just abort with 
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
> 
> This is the essential code for  TrustManager  (X509TrustManager did not 
> work either)
> ==============================================================================================
> public class ClientTrustManager {
> 
>   public final static void main(String[] args) throws Exception{
>  
>     SSLContext          ctx = SSLContext.getInstance("TLS");
>     MyTrustManager      tm  = new MyTrustManager(); 
>     ctx.init            (null, new TrustManager []{tm}, null);
>     SSLSocketFactory socketFactory = new SSLSocketFactory(ctx); 
> 
>     DefaultHttpClient httpclient = new DefaultHttpClient();
>     httpclient.getConnectionManager().getSchemeRegistry().register(new 
> Scheme("https", 443, socketFactory));
>     httpclient.getCredentialsProvider() .setCredentials(new 
> AuthScope(null, -1, null), 
>                                                         new 
> UsernamePasswordCredentials("...", "..."));
>     HttpGet httpget = new HttpGet("https://192.168.111.56/...");
>     HttpResponse response = httpclient.execute(httpget);
>   }
> }
> 
> class MyTrustManager implements TrustManager {
> 
>   public void checkClientTrusted(java.security.cert.X509Certificate[] xcs, 
> 
> String string) throws CertificateException {
>     System.out.println("checkClientTrusted");
>   }
>   public java.security.cert.X509Certificate[] getAcceptedIssuers() {
>     System.out.println("getAcceptedIssuers");
>     return null;
>   }
>   public void checkServerTrusted(java.security.cert.X509Certificate[] 
> arg0, String arg1) throws CertificateException {
>     System.out.println("checkServerTrusted");
> 
>   }
> }
> 
> And this is the essential code for TrustStrategy:
> ====================================================================================
> public class ClientTrustStrategy {
> 
>   public final static void main(String[] args) throws Exception{
> 
>     MyTrustStrategy ts              = new MyTrustStrategy();
>     SSLSocketFactory socketFactory = new SSLSocketFactory(ts); 
>     DefaultHttpClient httpclient = new DefaultHttpClient(); 
>     httpclient.getConnectionManager().getSchemeRegistry().register(new 
> Scheme("https", 443, socketFactory));
> 
>     httpclient.getCredentialsProvider().setCredentials(new AuthScope(null, 
> -1, null), 
>                                                        new 
> UsernamePasswordCredentials("...", "..."));
>     HttpResponse response = httpclient.execute(httpget);
>   }
> }
> class MyTrustStrategy implements TrustStrategy {
> 
>   public boolean isTrusted(X509Certificate[] arg0, String authString) 
> throws CertificateException {
>     System.out.println("MyTrustStrategy.isTrusted:" + authString);
>     return true;
>   }
> }
> ====================================================================================
> Can somebody sched a light on this ?
> 
> Thx for any help 
> Gerd
> 

Gerd

I find it somewhat difficult to believe that the trust manager never
gets called. You might want to turn on the SSL debugging to find out
what certificates are trusted.

http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message