hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: httpclient configuration over ssl-truststores question
Date Tue, 08 Mar 2011 10:58:36 GMT
On Mon, 2011-03-07 at 09:02 -0800, am am wrote:
> I have a question relating httpclient and ssl connections. 
> I have no problem connecting to tomcat for server authentication using apache 
> httpclient (tomcat is sending back a self-signed certificate i.e. not trusted by 
> java by default).
> Actually I have configured ssl to use my own trustmanager in order to use my 
> custom truststore and not java's default. The code is as follows:
> 
> 
>     HttpClient client = new DefaultHttpClient();
>     SSLContext sslContext = SSLContext.getInstance("TLS");      
> 
>     TrustManagerFactory tmf = 
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
>     KeyStore ks = KeyStore.getInstance("JKS");
>     File trustFile = new File("clientTrustStore.jks");
>     ks.load(new FileInputStream(trustFile), null);
>     tmf.init(ks);
>     sslContext.init(null, tmf.getTrustManagers(),null);  
>     SSLSocketFactory sf = new SSLSocketFactory(sslContext); 
>     sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
>     Scheme scheme = new Scheme("https", sf, 443);
>     client.getConnectionManager().getSchemeRegistry().register(scheme);
>     httpGet = new HttpGet("https://localhost:8443/myApp");
>     HttpResponse httpResponse = client.execute(httpGet);
> Ok so far.
> I enabled java debugging for ssl: 
> 
> System.setProperty("javax.net.debug", "ssl");
> to see what is going on, and I noticed that both my "clientTrustStore.jks" as 
> well as cacerts (java's default) are being used (this is what shows from debug 
> info). 
> 
> My question is why is this happening?  I was expecting that only my trust-store 
> would be used. Am I doing something wrong in the configuration? Sample debugging 
> traces:
> 
> ***
> adding as trusted cert:
>   Subject: CN=Me, OU=MyHouse, O=Home, L=X, ST=X, C=BB
>   Issuer:  CN=Me, OU=MyHouse, O=Home, L=X, ST=X, C=BB
>   Algorithm: RSA; Serial number: 0x4d72356b
>   Valid from Sat Mar 05 15:06:51 EET 2011 until Fri Jun 03 16:06:51 EEST 2011 
> This is my self-signed certificate expected to be send by tomcat during SSL 
> handshake
> 
> trigger seeding of SecureRandom
> done seeding SecureRandom
> 
> trustStore is: C:\Program Files\Java\jre6\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is : 
> init truststore
> adding as trusted cert:
>   Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
>   Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
>   Algorithm: RSA; Serial number: 0x4eb200670c035d4f
>   Valid from Wed Oct 25 11:36:00 EEST 2006 until Sat Oct 25 11:36:00 EEST 2036
> 
> adding as trusted cert:
>   Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, 
> OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert 
> Validation Network
>   Issuer:  EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, 
> OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert 
> Validation Network
>   Algorithm: RSA; Serial number: 0x1
>   Valid from Sat Jun 26 01:23:48 EEST 1999 until Wed Jun 26 01:23:48 EEST 2019
> 
> 
>       

I am seeing exactly the same behavior when using a custom trust store
containing just one trusted certificate. For some reason JSSE classes
also parse the default trust store. However, the client appears to trust
only those servers whose certificate chain contains the trusted
certificate explicitly passed to the SSLContext#init method. For
instance, certifcates presented by www.verisign.com are rejected as
untrusted. 

Oleg  


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message