hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: Can't get org.apache.http.conn.ssl.TrustSelfSignedStrategy to work
Date Sat, 18 Feb 2017 18:25:59 GMT
On Sat, Feb 18, 2017 at 2:06 AM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Fri, 2017-02-17 at 12:56 -0800, Gary Gregory wrote:
> > Hi All,
> >
> > I cannot seem to get org.apache.http.conn.ssl.TrustSelfSignedStrategy
> > to
> > work with an SSL connection.
> >
> > I am creating the HttpClient (4.5.3, the latest) like so:
> >
> >         final PoolingHttpClientConnectionManager cm = new
> > PoolingHttpClientConnectionManager();
> >         httpClient =
> > HttpClientFactory.createHttpClientBuilder(trustStrategy,
> > hostnameVerifier,
> > getTimeoutMillis())
> >                 .setConnectionManager(cm)
>
> Gary,
>
> Your code sets an instance of PoolingHttpClientConnectionManager which
> overrides all other connection level parameters including SSLContext
> and HostnameVerifier. Either pass SSLContext and HostnameVerifier as
> parameters to the connection manager or let HttpClientBuilder create an
> instance of PoolingHttpClientConnectionManager for you.
>

Thanks Oleg, I realized what you point out late last night. I might update
the Javadoc on the builder to make it more obvious.

Gary

>
> Oleg
>
>
> >                 .build();
> >
> > Where HttpClientFactory is as below and trustStrategy=a new
> > org.apache.http.conn.ssl.TrustSelfSignedStrategy,
> > hostnameVerifier=null,
> > getTimeoutMillis()=210,000:
> >
> > public class HttpClientFactory {
> >
> >     public static CloseableHttpClient createHttpClient(final
> > TrustStrategy
> > trustStrategy, final HostnameVerifier hostnameVerifier, final int
> > timeoutMillis)
> >             throws NoSuchAlgorithmException, KeyManagementException,
> > KeyStoreException {
> >         return createHttpClientBuilder(trustStrategy,
> > hostnameVerifier,
> > timeoutMillis).build();
> >     }
> >
> >     public static HttpClientBuilder createHttpClientBuilder(final
> > TrustStrategy trustStrategy, final HostnameVerifier hostnameVerifier,
> > final
> > int timeoutMillis)
> >             throws NoSuchAlgorithmException, KeyManagementException,
> > KeyStoreException {
> >         final SSLContext sslContext = trustStrategy == null ? null :
> > SSLContextBuilder.create().loadTrustMaterial(trustStrategy).build();
> >         final SocketConfig socketConfig = timeoutMillis < 0 ? null :
> > SocketConfig.custom().setSoTimeout(timeoutMillis).build();
> >         final HttpClientBuilder builder = HttpClients.custom();
> >         if (sslContext != null) {
> >             builder.setSSLContext(sslContext);
> >         }
> >         if (hostnameVerifier != null) {
> >             builder.setSSLHostnameVerifier(hostnameVerifier);
> >         }
> >         if (socketConfig != null) {
> >             builder.setDefaultSocketConfig(socketConfig);
> >         }
> >         return builder;
> >     }
> >
> > }
> >
> > I also tried hostnameVerifier=NoopHostnameVerifier.INSTANCE just for
> > grins
> > but that makes no difference, the failure is the same. If I had a
> > breakpoint in TrustSelfSignedStrategy#isTrusted(), it never gets hit.
> >
> > The error:
> >
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find
> > valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
> > at
> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> > java:1446)
> > at
> > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
> > a:209)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
> > at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
> > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
> > at
> > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
> > java:1332)
> > at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359
> > )
> > at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343
> > )
> > at
> > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSock
> > et(SSLConnectionSocketFactory.java:396)
> > at
> > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSL
> > ConnectionSocketFactory.java:355)
> > at
> > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect
> > (DefaultHttpClientConnectionOperator.java:142)
> > at
> > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(
> > PoolingHttpClientConnectionManager.java:359)
> > at
> > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClie
> > ntExec.java:381)
> > at
> > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.
> > java:237)
> > at
> > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java
> > :185)
> > at
> > org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> > at
> > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java
> > :111)
> > at
> > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttp
> > Client.java:185)
> > at
> > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttp
> > Client.java:83)
> > at
> > com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc
> > gHttpConnection.java:165)
> > at
> > com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc
> > gHttpConnection.java:177)
> > at
> > com.seagullsw.appinterface.server.backend.cics.ScgByteBufferExecutor.
> > execute(ScgByteBufferExecutor.java:121)
> > at
> > com.seagullsw.appinterface.server.backend.cics.CicsBackEnd.handleRequ
> > estImpl(CicsBackEnd.java:232)
> > at
> > com.seagullsw.appinterface.server.backend.BasicBackEnd.handleRequest(
> > BasicBackEnd.java:325)
> > at
> > com.seagullsw.appinterface.server.BasicInvocation.backEndDispatch(Bas
> > icInvocation.java:372)
> > at
> > com.seagullsw.appinterface.server.BasicInvocation.invokeInner(BasicIn
> > vocation.java:1146)
> > at
> > com.seagullsw.appinterface.server.BasicInvocation.invokeWithChecks(Ba
> > sicInvocation.java:1191)
> > at
> > com.seagullsw.appinterface.server.BasicInvocation.invoke(BasicInvocat
> > ion.java:1106)
> > at
> > com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte
> > rfaceServer.java:722)
> > at
> > com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte
> > rfaceServer.java:710)
> > at
> > com.seagullsw.appinterface.server.AisHelper.assertXmlRequest(AisHelpe
> > r.java:59)
> > at
> > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest
> > Case.callMirrorCommArea(AbstractScgBackEndTestCase.java:409)
> > at
> > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest
> > Case.callMirrorCicsWriteQLimitCommArea(AbstractScgBackEndTestCase.jav
> > a:379)
> > at
> > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndStre
> > ssTestCase.testMirrorCicsWriteQLimitCommAreaConsecutiveRequests10(Abs
> > tractScgBackEndStressTestCase.java:1896)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> > java:57)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> > sorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at
> > org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(Framework
> > Method.java:50)
> > at
> > org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCal
> > lable.java:12)
> > at
> > org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMe
> > thod.java:47)
> > at
> > org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMet
> > hod.java:17)
> > at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
> > at
> > org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
> > at org.junit.rules.RunRules.evaluate(RunRules.java:20)
> > at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
> > at
> > org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun
> > ner.java:78)
> > at
> > org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun
> > ner.java:57)
> > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
> > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
> > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
> > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
> > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
> > at
> > org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.
> > java:26)
> > at
> > org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.ja
> > va:27)
> > at
> > org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
> > at org.junit.rules.RunRules.evaluate(RunRules.java:20)
> > at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
> > at
> > org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4
> > TestReference.java:86)
> > at
> > org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution
> > .java:38)
> > at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot
> > eTestRunner.java:459)
> > at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot
> > eTestRunner.java:678)
> > at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTest
> > Runner.java:382)
> > at
> > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTes
> > tRunner.java:192)
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building
> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable
> > to find valid certification path to requested target
> > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> > at
> > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
> > a:292)
> > at sun.security.validator.Validator.validate(Validator.java:260)
> > at
> > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
> > ava:326)
> > at
> > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
> > pl.java:231)
> > at
> > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
> > agerImpl.java:126)
> > at
> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> > java:1428)
> > ... 63 more
> > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> > at
> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
> > PathBuilder.java:196)
> > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> > ... 69 more
> >
> > Thoughts?
> >
> > Thank you,
> > Gary
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8>

<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459>
JUnit in Action, Second Edition
<https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22>

<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021>
Spring Batch in Action
<https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action>
<http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message