hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: TrustStrategy - is chain[0] always the server certificate in the chain?
Date Tue, 22 Mar 2016 20:56:28 GMT
On Mon, 2016-03-21 at 14:21 +0100, Bernd wrote:
> Hello,
> I am writing a TrustStrategy which is processing http.spki-pinning. I have
> one strategy instance per fingerprint (and use it only for one host).
> The isTrusted(chain, authType) method will return a CertificateException
> when the PIN is wrong, and it will "return false" when the pin is correct
> (defering all other checks to the system trust manager).
> I wonder now, is it guranteed that chain[0] contains the server certificate
> which is actually used for the handshake? The Javadoc only says "peer
> certificate chain" with no further description what can be dependent upon.


I am afraid this is the wrong place to seek an authoritative answer to
this question. I believe that the first cert in the chain is the one
that uniquely identifies the peer in SSL handshake, but it is merely an


> In my special case the TrustStrategy is also executed before the
> TrustManager, does this mean I do need to do some more checks to make sure
> I actually verify the server certificate and not intermediate or excessive
> certificates?
> Using httpclient:4.5
> like this:
> HttpClientBuilder builder = HttpClients.custom();
> builder.disableCookieManagement();
> builder.disableAuthCaching();
> builder.disableRedirectHandling();
> TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93..");
> SSLContext sslcontext =
> SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build();
> SSLConnectionSocketFactory sslsf = new
> SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null,
> SSLConnectionSocketFactory.getDefaultHostnameVerifier());
> builder.setSSLSocketFactory(sslsf);
> CloseableHttpClient client = builder.build();
> Gruss
> Bernd

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message