hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: HTTPClient SSL self signed cert
Date Mon, 15 Feb 2016 16:02:55 GMT
On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
> Hi Oleg,
> 
> Thanks for response…I don’t know if I’m seeing this up right.
> 
> Does anyone have the steps handy to have a Tomcat and HttpClient communicate with each
other using self signed keys?
> 
> -Matt
> 

Matt,

When it comes to SSL one _must_ know exactly what he or she is doing. 

Does the server use a self-signed cert (there is only one certificate in
the cert chain) or does it use a cert signed by a custom CA (the cert
chain consists of multiple certs)?  

When configured to use TrustSelfSignedStrategy HttpClient will accept
the former but will reject the latter unless explicitly set up to trust
the custom CA. 

So, what is it you are trying to do? 

You might also want to run your app with SSL debugging turned and find
out why the SSL security provider rejects server creds presented during
the SSL session handshake.

Oleg 

> > On Feb 15, 2016, at 5:47 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
> > 
> > On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote:
> >> I’m not sure if I’m daft or just missing something super obvious, but I’m
trying to setup HttpClient to connect to a Spring Boot server using a self signed cert, pretty
much all day.   Works fine via Chome, Python’s ‘requests’ module, and Objective-C but
no matter what I do, this exception haunts me.
> >> 
> > 
> > Are you sure the server authenticates with a self-signed certificate (no
> > CA) and not with a certificate signed by a non-standard CA?
> > 
> > Oleg
> > 
> >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> >> 	at com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9)
~[archivist-sdk-0.17.0.jar:na]
> >> 	at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) ~[archivist-sdk-0.17.0.jar:na]
> >> 	at com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57)
~[archivist-sdk-0.17.0.jar:na]
> >> 	at com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45)
~[classes/:na]
> >> 	at com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174)
[guava-18.0.jar:na]
> >> 	at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) [guava-18.0.jar:na]
> >> 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[na:1.8.0_65]
> >> 	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_65]
> >> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
[na:1.8.0_65]
> >> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
[na:1.8.0_65]
> >> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_65]
> >> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_65]
> >> 	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
> >> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> >> 
> >> I’ve basically tried 1000 different combinations of HttpClient setup and versions,
but this is how I’m setting it up currently:
> >> 
> >> this.client = HttpClients.custom()
> >>        .setConnectionManager(new PoolingHttpClientConnectionManager())
> >>        .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom()
> >>                .loadTrustMaterial(null, new TrustSelfSignedStrategy())
> >>                .build()))
> >>        .setSSLHostnameVerifier(new NoopHostnameVerifier())
> >>        .build();
> >> 
> >> Any help would be greatly appreciated.  
> >> 
> >> -Matt
> >> 
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org <mailto:httpclient-users-unsubscribe@hc.apache.org>
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org <mailto:httpclient-users-help@hc.apache.org>



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message