hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Looking at how I would implement a particular custom ssl socket factory with httpclient 4.1.1
Date Tue, 17 May 2011 10:41:56 GMT
On Mon, 2011-05-16 at 18:10 +0000, KARR, DAVID (ATTSI) wrote:
> A week or so ago I had to implement a custom ssl socket factory to do some specialized
hostname verification.
> 
> For background, we had been connecting to a "front-end" server that was presenting a
SSL cert with a context name matching that server name.  In fact, that cert is provided by
a server "underneath" that front server.  Due to certain network issues, we had to change
our client code to directly connect to that "underneath" server.  Unfortunately, that meant
that hostname verification was now failing, and we don't want to turn off hostname verification.
 So, I implemented a ssl socket factory that gets constructed with an "alternate CN", which
I'm passing in the original "front server" name for.  This is working fine.
> 
> I did this with HttpClient 3.0.1.  I'm now researching what will be required to upgrade
our code base to use the latest HttpClient, 4.1.1 at this point.
> 
> I've been looking at the new documentation, and I noticed the "BrowserCompatHostnameVerifier"
option.  From what I can see, this isn't quite what I need.  Will I still need a custom ssl
socket factory for this, or is some of what I need now "canned" in the latest HttpClient?
> 

HttpClient 4.x should be able to handle alternate CNs in certificates
when performing hostname verification out of the box.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message