hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernd Eckenfels <e...@zusammenkunft.net>
Subject Re: SSL Certificate exceptions and defensive coding
Date Mon, 06 Nov 2017 08:06:32 GMT
Without knowing your code it is hard to tell what is configured. You can implement multiple
strategies for server certificate checking (including to ignore the checks or use the default
cacerts trust store)

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
From: Mohan Radhakrishnan <radhakrishnan.mohan@gmail.com>
Sent: Monday, November 6, 2017 8:48:42 AM
To: HttpClient User Discussion
Subject: Re: SSL Certificate exceptions and defensive coding

Hello,

Could you point to some sample ? When I invoke this Https WSDL URL I do get
a certificate in the browser. The URL pointing to the SOAP service is also
a HTTPS URL.

Does this mean that the server presents its certificate to the client which
has to trust it ? How does HttpClient know how to trust it without the
truststore ?

The following is unrelated to my original question but this is what I
observe.

When I generate JAX-WS classes I need to import the WSDL URL certificate
into my trust store and set the system properly.

Thanks,
Mohan

On 5 November 2017 at 22:38, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Sun, 2017-11-05 at 08:41 +0530, Mohan Radhakrishnan wrote:
> > I do have a trustore into which I have imported the server
> > certificate. I
> > set a system property and use it.
> >
> > System.setProperty("javax.net.ssl.trustStrore", "trustStore");
> >
> > JSSE should be able to use it. I think. RIght ? Don't see a problem
> > at this
> > time. Just getting some clarifications.
> >
>
> HttpClient does not take system properties into account by default. You
> need to explicitly instruct to do so when building HttpClient
> instances.
>
> Oleg
>
>
> > Thanks,
> > Mohan
> >
> > On 5 November 2017 at 03:28, Bindul Bhowmik <bindulbhowmik@gmail.com>
> > wrote:
> >
> > > Mohan,
> > >
> > > On Sat, Nov 4, 2017 at 6:01 AM, Mohan Radhakrishnan
> > > <radhakrishnan.mohan@gmail.com> wrote:
> > > > Hi,
> > > >
> > > >
> > >
> > > Let me start by mentioning that Http Client does not implement its
> > > own
> > > cyrpto algorithms or SSL/TLS protocols. It relies on the underlying
> > > Java JSSE implementation to create secure sockets. And unless you
> > > have
> > > plugged in an alternate JSSE provider, you are using the JSSE
> > > implementation packaged with your JRE. Having said that, Http
> > > Client
> > > does allow some customization to the secure socket creation process
> > > using SSLConnectionSocketFactory [1]. This allows you to use an
> > > alternate trust store, host name verifier, etc.. The latter being
> > > especially valuable during development/testing, but should not be
> > > used
> > > in production IMO. To see how you can customize the SSL socket
> > > creation, please read the 'Connection management' chapter in the
> > > Http
> > > Client tutorial [2].
> > >
> > > >        I am invoking a HTTPS SOAP service and this is what I
> > > > think is
> > > > happening. It is one-way SSL. The JSSE implementation
> > > > automagically adds
> > >
> > > it
> > > > to the client's truststore and ensures that the SOAP call is
> > > > successful.
> > >
> > > I am not sure that is accurate. If the server you are targeting
> > > uses a
> > > certificate signed by one of the trusted CAs (or a CA signed by a
> > > trusted CA) in your trust store, the secure socket will be
> > > established. The client does not alter the trust store
> > > automagically,
> > > unless you have done it yourself, or are using a custom trust store
> > > (other than say the cacerts that ships with Oracle JRE).
> > >
> > > >
> > > > This question is based on this assumption.
> > > > When I read
> > > > https://www.ssl.com/guide/ssl-best-practices-a-quick-and-dirty-gu
> > > > ide/
> > >
> > > there
> > > > are various SSL exceptions and checks that
> > > > are required. I code the client. How do I trap the various
> > > > exceptions ?
> > > > Which list of exceptions should I use for SSL ?
> > >
> > > I am not sure I understand the question, but if you need to catch
> > > all
> > > exceptions, see the JSSE Reference Guide [3] on exceptions that can
> > > come from the SSL context. I guess the most important one will be
> > > javax.net.ssl.SSLException and its sub-classes. As far as I can
> > > tell,
> > > HC adds org.apache.http.conn.ssl.SSLInitializationException and of
> > > course most connect methods can throw IOException.
> > >
> > >
> > > >
> > > > How do I know the the HttpClient uses the latest security patches
> > > > in my
> > >
> > > JDK
> > > > 8 ? It should automatically be secure. Right ?
> > >
> > > As I noted above, HC is using the configured or default JSSE
> > > implementation in your JRE. If that is patched, you will be as
> > > secure
> > > as that.
> > >
> > > >
> > > > Thanks,
> > > > Mohan
> > >
> > > Regards,
> > > Bindul
> > >
> > > [1] https://hc.apache.org/httpcomponents-client-ga/
> > > httpclient/apidocs/org/apache/http/conn/ssl/SSLConnectionSocketFact
> > > ory.
> > > html
> > > [2] http://hc.apache.org/httpcomponents-client-ga/tutorial/html/
> > >
> > > -----------------------------------------------------------------
> > > ----
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.or
> > > g
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message