Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2E8D04575 for ; Tue, 17 May 2011 10:42:32 +0000 (UTC) Received: (qmail 40813 invoked by uid 500); 17 May 2011 10:42:31 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 40752 invoked by uid 500); 17 May 2011 10:42:31 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 40743 invoked by uid 99); 17 May 2011 10:42:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 May 2011 10:42:31 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [92.42.190.144] (HELO ok2cons2.nine.ch) (92.42.190.144) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 May 2011 10:42:23 +0000 Received: from [192.168.42.96] (unknown [213.55.131.180]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ok2cons2.nine.ch (Postfix) with ESMTPSA id 17752245E41F for ; Tue, 17 May 2011 12:42:01 +0200 (CEST) Subject: Re: Looking at how I would implement a particular custom ssl socket factory with httpclient 4.1.1 From: Oleg Kalnichevski To: HttpClient User Discussion In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Date: Tue, 17 May 2011 12:41:56 +0200 Message-ID: <1305628916.2015.62.camel@ubuntu> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit On Mon, 2011-05-16 at 18:10 +0000, KARR, DAVID (ATTSI) wrote: > A week or so ago I had to implement a custom ssl socket factory to do some specialized hostname verification. > > For background, we had been connecting to a "front-end" server that was presenting a SSL cert with a context name matching that server name. In fact, that cert is provided by a server "underneath" that front server. Due to certain network issues, we had to change our client code to directly connect to that "underneath" server. Unfortunately, that meant that hostname verification was now failing, and we don't want to turn off hostname verification. So, I implemented a ssl socket factory that gets constructed with an "alternate CN", which I'm passing in the original "front server" name for. This is working fine. > > I did this with HttpClient 3.0.1. I'm now researching what will be required to upgrade our code base to use the latest HttpClient, 4.1.1 at this point. > > I've been looking at the new documentation, and I noticed the "BrowserCompatHostnameVerifier" option. From what I can see, this isn't quite what I need. Will I still need a custom ssl socket factory for this, or is some of what I need now "canned" in the latest HttpClient? > HttpClient 4.x should be able to handle alternate CNs in certificates when performing hostname verification out of the box. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org