hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Chambers <mvchamb...@me.com>
Subject Re: HTTPClient SSL self signed cert
Date Mon, 15 Feb 2016 16:40:59 GMT

> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
> 
> On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
>> Hi Oleg,
>> 
>> Thanks for response…I don’t know if I’m seeing this up right.
>> 
>> Does anyone have the steps handy to have a Tomcat and HttpClient communicate with
each other using self signed keys?
>> 
>> -Matt
>> 
> 
> Matt,
> 
> When it comes to SSL one _must_ know exactly what he or she is doing. 
> 
> Does the server use a self-signed cert (there is only one certificate in
> the cert chain) or does it use a cert signed by a custom CA (the cert
> chain consists of multiple certs)?  

The server has a self signed cert.

> 
> When configured to use TrustSelfSignedStrategy HttpClient will accept
> the former but will reject the latter unless explicitly set up to trust
> the custom CA. 
> 
> So, what is it you are trying to do? 

Good question.

I started out wanting to get a private internal client/server communicating with SSL, using
keys generated with key tool, which I’ve done before but with much older versions of HttpClient.
 That devolved into just getting anything working.

Basically, I generated the server key like this:
keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server.p12
-validity 3650 -keypass change -it storepass changeit

The client keystore i generated with exact same command except different alias.

From the client keystore I exported its cert
keytool -export -alias client -file client.cer -storetype PKCS12 -keystore keystore.p12

Then I created a trust store on the server and put in the clients cert
keytool -import -file ../client/client.cer -storetype PKCS12 -keystore src/main/resources/truststore.p12

On the server, I specified the path to the trust store and its password.

With SSL debugging on, the client prints out the server’s cert, but then says:

%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2
RegisterServiceImpl RUNNING, called closeSocket()
RegisterServiceImpl RUNNING, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target

Should I also export the server's cert to the client’s trust store?

-Matt

> 
> You might also want to run your app with SSL debugging turned and find
> out why the SSL security provider rejects server creds presented during
> the SSL session handshake.
> 
> Oleg 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message