hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Aronszajn <mark.aronsz...@openmarket.com>
Subject SSLcontext setting question
Date Sun, 13 Mar 2011 22:21:02 GMT
I'm using HttpClient 3.1.

It appears that the use of an instance of AuthSSLProtocolSocketFactory in our code (when setting
a Host for an HttpClient instance) results in a choice of SSLcontext that does not use a handshake
compatible with a server requiring SSLv3 or TLSv1 or above. Apparently, the handshake is extended
as SSLv2. I see from the AuthSSLProtocolSocketFactory code that in the createSSLContext method,
SSLContext is hard-coded as "SSL".

I've seen some email threads in this httpclient-users list that seems to suggest that we should
be using a custom SocketFactory.

I'm hoping to get some guidance... Currently I've simply copied the AuthSSLProtocolSocketFactory
class, given it a new name and changed code so that a String value can be passed in as parameter
to the constructor that will designate an Algorithm Name other than the one, "SSL", that is
hard-coded in AuthSSLProtocolSocketFactory's private createSSLContext method. I don't see
with any confidence a better way to handle this. (Actually not quite sure this does the trick
because we haven't got a test platform set up yet that demands SSLv3 or TSLv1 or above).

One post from back in 2008 suggested overriding the createSocket method instead, but it only
mentions overriding one of the 4 public createSocket methods, and I'm not sure whether that's
sufficient or the writer just left omitted mentioning how to override the other 3 methods.

Anyone have advice, or some good examples of code that addresses this issue?

Here is a snippet/sample of how the HttpClient is being configured in our code (try/catch
blocks omitted for brevity):

************** SNIP *********************
HttpClient client = new HttpClient();
URL url = new URL(transportData.getHost() + "/" + transportData.getServicePath());
AuthSSLProtocolSocketFactory factory =
                        new AuthSSLProtocolSocketFactory(new URL("file:" + transportData.getKeyStoreFile()),
                                                        new URL("file:" + transportData.getTrustStoreFile()),

Protocol authhttps = new Protocol("https", factory, 443);
client.getHostConfiguration().setHost(url.getHost(), (url.getPort() > 0 ? url.getPort()
: url.getDefaultPort()),authhttps);
This code has been working just fine, but the servers that we target will no longer be accepting
less than SSLv3; this code seems to result in an instance of HttpClient that extends SSLv2
handshakes, which will no longer be accepted.

Again, thanks in advance for any advice or suggestions or code samples.

This message and the information contained herein is proprietary and confidential and subject
to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message