hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: DefaultHttpClient (4.0.3) does not call my customised socket factory for the initial SSL handshake
Date Sat, 04 Jun 2011 11:09:30 GMT
On Fri, 2011-06-03 at 15:40 -0700, bnijjhar wrote:
> Hi
> I have a specific requirement to only enable the NULL cipher suite for SSL
> communications. I am using the DefaultHttpClient 4.0.3 version at the
> moment.
> I have set up my schemes and HTTPClient as follows. As I don’t require
> anything special from the Key or Trust Managers (other than to refer to the
> system properties I’ll be setting) I just use the default SSLContext.
>  
> 
>                 SchemeRegistry registry = new SchemeRegistry();
>                 SSLContext sslContext = SSLContext.getDefault();
>                 CustomisedCipherSSLSocketFactory myFactory = new
> CustomisedCipherSSLSocketFactory(sslContext);
>                 registry.register(new Scheme("https", myFactory, 443));
>                 registry.register(new Scheme("http",
> PlainSocketFactory.getSocketFactory(), 80));
>                 SingleClientConnManager sccm = new
> SingleClientConnManager(new BasicHttpParams(), registry);
>                 HttpClient httpclient = new DefaultHttpClient(sccm, new
> BasicHttpParams());
>                 HttpPost httpPost = new HttpPost(url);
>                 httpResponse = httpclient.execute(httpPost);
> 
>  
> I have extended SSLSocketFactory in my own CustomisedCipherSSLSocketFactory
> to simply overwrite createSocket as follows in order to set the suites I
> need:
> 
>                 public CustomisedCipherSSLSocketFactory(SSLContext
> sslContext)
>                                 throws NoSuchAlgorithmException,
> KeyManagementException, KeyStoreException, UnrecoverableKeyException {
>                                 super(sslContext);
>                 }
>  
>                 public Socket createSocket() throws IOException {
>                                 SSLSocket sslSocket = (SSLSocket)
> super.createSocket();
>                                 sslSocket.setEnabledCipherSuites(new
> String[]{"SSL_RSA_WITH_NULL_MD5"});
>                                 System.out.println("In create socket");
>                                 return sslSocket;
>                 }
>                
>                 public Socket createSocket(Socket socket, String host, int
> port, boolean autoClose) throws IOException {
>                                 SSLSocket sslSocket = (SSLSocket)
> super.createSocket(socket, host, port, autoClose);
>                                 sslSocket.setEnabledCipherSuites(new
> String[]{"SSL_RSA_WITH_NULL_MD5"});
>                                 System.out.println("In create socket with
> args: host = " + host + ", port = " + port);
>                                 return sslSocket;
>                 }
> 
>  
> What I am finding in the debug logs is that the initial SSL handshake which
> establishes the cipher suites the client and server will use doesn’t call my
> overridden createSocket. Thus, an SSLSession is established which uses a
> different cipher suite. Thereafter, my createSocket IS called, but the debug
> shows that the original cached SSLSession is being used. Thus, my cipher
> suite is never actually used in the message exchange.
>  
> 
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie:  GMT: 1290269617 bytes = { 21, 218, 241, 213, 225, 171, 181,
> 140, 95, 246, 109, 123, 127, 148, 254, 161, 241, 74, 56, 242, 169, 246, 24,
> 77, 96, 195, 194, 146 }
> Session ID:  {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods:  { 0 }
> ***
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', WRITE: TLSv1 Handshake, length = 75
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', WRITE: SSLv2 client hello message, length = 101
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', READ: TLSv1 Handshake, length = 58
> *** ServerHello, TLSv1
> RandomCookie:  GMT: 1290269616 bytes = { 239, 194, 86, 114, 146, 95, 25,
> 160, 77, 22, 119, 192, 137, 112, 86, 182, 203, 27, 86, 72, 160, 141, 113,
> 62, 124, 167, 88, 70 }
> Session ID:  {229, 77, 223, 81, 84, 85, 11, 50, 74, 75, 51, 102, 202, 10,
> 72, 167}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Warning: No renegotiation indication extension in ServerHello
> %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> …
> %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> In create socket with args: host = localhost, port = 10002
> 
>  
> I would have expected it to use my createSocket to create the socket for the
> initial handshake … Can anyone shed any light on why it doesn’t? How can I
> set my cipher suite with DefaultHttpClient?
> Thanks very much, Baljeet.

Works for me with HttpClient 4.1.1

trigger seeding of SecureRandom
done seeding SecureRandom
executing requestGET https://localhost/ HTTP/1.1
[DEBUG] SingleClientConnManager - Get connection for route
HttpRoute[{s}->https://localhost]
In create socket
[DEBUG] DefaultClientConnectionOperator - Connecting to
localhost/127.0.0.1:443
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1290408107 bytes = { 71, 33, 247, 80, 67, 215, 28,
97, 178, 240, 130, 183, 182, 2, 46, 221, 52, 105, 214, 53, 73, 251, 218,
19, 65, 222, 109, 109 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_NULL_MD5]
Compression Methods:  { 0 }
***

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message