hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Some websites: SSLPeerUnverifiedException: peer not authenticated
Date Tue, 06 Sep 2011 14:08:32 GMT
On Tue, 2011-09-06 at 03:48 -0700, Ahmed Ashour wrote:
> Hi Vasile,
> 
> Thanks, I saw the error "main, RECV SSLv3 ALERT:  fatal, bad_record_mac", and read http://old.nabble.com/Fwd%3A-Httpclient-sslv3---bad_record_mac-error-tt21999553.html#a22000148
> 
> Another question, is there is way to automatically detect the server SSL version. Because
I see the default enabled protocols are "SSLv2Hello", "SSLv3", and "TLSv1". But restricting
to SSLv3 will not make the code generic for all websites.
> 
> Is there any better way other than restricting the version to SSLv3?
> 
> Ahmed
> 
> 

I think the only feasible strategy is to re-try connections with a lower
SSL protocol version. Try SSLv3 first, if fails, try SSLv2, if fails,
try SSLv1, if fails, give up and have a drink.

Oleg


> ________________________________
> From: Vasile Alin <alinachegalati@gmail.com>
> To: HttpClient User Discussion <httpclient-users@hc.apache.org>; Ahmed Ashour <asashour@yahoo.com>
> Sent: Tuesday, September 6, 2011 12:31 PM
> Subject: Re: Some websites: SSLPeerUnverifiedException: peer not authenticated
> 
> Enabling the SSL debug may help to find the root cause:
> 
> for example: System.setProperty("javax.net.debug", "all");
> 
> On 6 September 2011 11:56, Ahmed Ashour <asashour@yahoo.com> wrote:
> > Dear all,
> >
> > I know this is a common question, but the below answer doesn't work for all the
websites (e.g. https://tradingpartners.comcast.com/PortOut/)
> >
> > On trying to specify custom TrustMangaer, it works for many websites, but not all.
> >
> > The below code gives "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
> >
> > Appreciate your help.
> >
> > -------------------------------------------------
> >             HttpClient client = new DefaultHttpClient();
> >             final SSLContext sslContext = SSLContext.getInstance("SSL");
> >             sslContext.init(null, new TrustManager[] {new X509TrustManager(){
> >
> >                 public void checkClientTrusted(X509Certificate[] arg0,
> >                         String arg1) throws CertificateException {
> >                 }
> >
> >                 public void checkServerTrusted(X509Certificate[] arg0,
> >                         String arg1) throws CertificateException {
> >                 }
> >
> >                 public X509Certificate[] getAcceptedIssuers() {
> >                     return new X509Certificate[0];
> >                 }
> >
> >             }}, null);
> >             final SSLSocketFactory factory = new SSLSocketFactory(sslContext, new
AllowAllHostnameVerifier());
> >             final Scheme https = new Scheme("https", 443, factory);
> >
> >             final SchemeRegistry schemeRegistry = client.getConnectionManager().getSchemeRegistry();
> >             schemeRegistry.register(https);
> >
> >             HttpGet get = new HttpGet("https://tradingpartners.comcast.com/PortOut/");
> >             client.execute(get);
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message