Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3AF6B18DA1 for ; Mon, 15 Feb 2016 16:03:02 +0000 (UTC) Received: (qmail 5028 invoked by uid 500); 15 Feb 2016 16:03:02 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 4980 invoked by uid 500); 15 Feb 2016 16:03:01 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 4969 invoked by uid 99); 15 Feb 2016 16:03:01 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Feb 2016 16:03:01 +0000 Received: from ok2c (84.76.106.92.dynamic.wline.res.cust.swisscom.ch [92.106.76.84]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 283261A0141 for ; Mon, 15 Feb 2016 16:03:00 +0000 (UTC) Message-ID: <1455552175.11837.19.camel@apache.org> Subject: Re: HTTPClient SSL self signed cert From: Oleg Kalnichevski To: HttpClient User Discussion Date: Mon, 15 Feb 2016 17:02:55 +0100 In-Reply-To: <90CFA505-0052-4515-A5A1-9051C4435542@me.com> References: <7AFD793B-2C16-452B-B456-A855CEA772D0@me.com> <1455533261.11837.1.camel@apache.org> <90CFA505-0052-4515-A5A1-9051C4435542@me.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.9-1+b1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote: > Hi Oleg, > > Thanks for response…I don’t know if I’m seeing this up right. > > Does anyone have the steps handy to have a Tomcat and HttpClient communicate with each other using self signed keys? > > -Matt > Matt, When it comes to SSL one _must_ know exactly what he or she is doing. Does the server use a self-signed cert (there is only one certificate in the cert chain) or does it use a cert signed by a custom CA (the cert chain consists of multiple certs)? When configured to use TrustSelfSignedStrategy HttpClient will accept the former but will reject the latter unless explicitly set up to trust the custom CA. So, what is it you are trying to do? You might also want to run your app with SSL debugging turned and find out why the SSL security provider rejects server creds presented during the SSL session handshake. Oleg > > On Feb 15, 2016, at 5:47 AM, Oleg Kalnichevski wrote: > > > > On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote: > >> I’m not sure if I’m daft or just missing something super obvious, but I’m trying to setup HttpClient to connect to a Spring Boot server using a self signed cert, pretty much all day. Works fine via Chome, Python’s ‘requests’ module, and Objective-C but no matter what I do, this exception haunts me. > >> > > > > Are you sure the server authenticates with a self-signed certificate (no > > CA) and not with a certificate signed by a non-standard CA? > > > > Oleg > > > >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > >> at com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9) ~[archivist-sdk-0.17.0.jar:na] > >> at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) ~[archivist-sdk-0.17.0.jar:na] > >> at com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57) ~[archivist-sdk-0.17.0.jar:na] > >> at com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45) ~[classes/:na] > >> at com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174) [guava-18.0.jar:na] > >> at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) [guava-18.0.jar:na] > >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_65] > >> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_65] > >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_65] > >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_65] > >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_65] > >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_65] > >> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65] > >> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > >> > >> I’ve basically tried 1000 different combinations of HttpClient setup and versions, but this is how I’m setting it up currently: > >> > >> this.client = HttpClients.custom() > >> .setConnectionManager(new PoolingHttpClientConnectionManager()) > >> .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom() > >> .loadTrustMaterial(null, new TrustSelfSignedStrategy()) > >> .build())) > >> .setSSLHostnameVerifier(new NoopHostnameVerifier()) > >> .build(); > >> > >> Any help would be greatly appreciated. > >> > >> -Matt > >> > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > > For additional commands, e-mail: httpclient-users-help@hc.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org