hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher BROWN <br...@reflexe.fr>
Subject Re: Providing feedback when an SSL certificate is not recognized (due to missing entry in keystore)
Date Mon, 30 Dec 2013 10:53:36 GMT
Thanks Oleg, I'll take it from here, now that I know where to start from.

--
Christopher



On 30 December 2013 11:51, Oleg Kalnichevski <olegk@apache.org> wrote:
> On Sun, 2013-12-29 at 14:48 +0100, Christopher BROWN wrote:
>> Hello,
>>
>> I've dealt with an issue where an application being migrated to HTTP client
>> has (with the original HttpURLConnection class) thrown this exception:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> This was due to a missing entry in the keystore, easy enough for me to fix.
>>  However, when the code in question is migrated to HTTP client 4.3+, is
>> there any API for detecting that a missing keystore entry was the cause,
>> and providing user feedback such as "the server is using a SSL certificate
>> from Gandi, however this authority has no entry in the keystore" (I'd build
>> the message, but would need to have an API to query the certificate info).
>>
>> Thanks,
>> Christopher BROWN
>
>
> Hi Christopher
>
> Strictly speaking this problem has nothing to do with HttpClient as
> such. It's just purely JSSE programming.
>
> HttpClient 4.3 ships with SSLContextBuilder [1] which is unlikely to
> have functionality you want out of the box, but you could take this
> class as a starting point for your own custom version of it. Have a look
> at TrustManagerDelegate. With a few minor modifications it should be
> able to generate more descriptive feedback in case of a trust validation
> failure either in a form of a better exception or a log entry.
>
> Hope this helps
>
> Oleg
>
> [1]
> http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/xref/org/apache/http/conn/ssl/SSLContextBuilder.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message