hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis T <travis.tr...@hp.com>
Subject Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Date Wed, 09 Mar 2011 18:16:33 GMT


olegk wrote:
> 
> Travis,
> 
> It looks like the remote server once of a sudden drops the connection in
> the middle of the SSL handshake on the unsuspecting client. Looks very
> bizarre.
> 
> I reviewed code of both versions and I found out there were some subtle
> differences in the algorithm used by SSLSocketFactory in HC 4.0.1 and HC
> 4.1 to create SSLSocket instances and to connect them to a remote
> endpoint. 
> 
> Could you please try out two things?
> 
> (1) Please check the socket timeout value configured for the request and
> make sure it is not too aggressive (low)
> 
> (2) Make a copy of SSLSocketFactory, 
> 
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
> 
> replace #createSocket method with this one
> 
> ---
> public Socket createSocket(final HttpParams params) throws IOException {
>   return this.socketfactory.createSocket();
> }
> ---
> 
> and configure HttpClient to use your implementation of SSLSocketFactory
> instead of the stock one.
> 
> Oleg
> 
> 

Oleg,

Your new code fixed the issue!  Thank you!

So, it appears that the existing 4.1 code wasn't using the socket factory to
create the socket.  I'll provide some details below, but my question is when
would I expect to get this fix in an official build? I want to move past
4.0.1, but I don't want to use my own patched build.

Some info on what I did:

The socket timeout was showing as being set to 0. Which I traced through the
httpclient code to meaning an infinite timeout per the below:


	/**
     * Defines the socket timeout (<code>SO_TIMEOUT</code>) in milliseconds,
     * which is the timeout for waiting for data  or, put differently,
     * a maximum period inactivity between two consecutive data packets).
     * A timeout value of zero is interpreted as an infinite timeout.
     * <p>
     * This parameter expects a value of type {@link Integer}.
     * </p>
     * @see java.net.SocketOptions#SO_TIMEOUT
     */
    public static final String SO_TIMEOUT = "http.socket.timeout";


However, I went ahead and tried to change that timeout using the below and I
still got failures:


            HttpParams params = httpget.getParams();
            int soTimeout = HttpConnectionParams.getSoTimeout(params);
            HttpConnectionParams.setSoTimeout(params, 100000);
            httpget.setParams(params);


I took the svn URL you gave for the new code and I could not use it, because
SSL Socket Factory has already been changed from 4.1.  It referenced
org.apache.http.conn.HttpInetSocketAddress which I traced to being @since
4.2.  Since I wanted to use the 4.1 dependency and only hot replace the
SSLSocketFactory method you mentioned above I went and pulled the
SSLSocketFactory in the 4.1 tag (I hope that was the right tag).
http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.1/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java

The method in that code showed the following, which I see means that the 4.1
code wasn't actually using the socket factory to create the socket.


    public Socket createSocket(final HttpParams params) throws IOException {
        return new Socket();
    }


-- 
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31108967.html
Sent from the HttpClient-User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message