hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohan Radhakrishnan <radhakrishnan.mo...@gmail.com>
Subject Re: SSL Certificate exceptions and defensive coding
Date Mon, 06 Nov 2017 07:48:42 GMT
Hello,

Could you point to some sample ? When I invoke this Https WSDL URL I do get
a certificate in the browser. The URL pointing to the SOAP service is also
a HTTPS URL.

Does this mean that the server presents its certificate to the client which
has to trust it ? How does HttpClient know how to trust it without the
truststore ?

The following is unrelated to my original question but this is what I
observe.

When I generate JAX-WS classes I need to import the WSDL URL certificate
into my trust store and set the system properly.

Thanks,
Mohan

On 5 November 2017 at 22:38, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Sun, 2017-11-05 at 08:41 +0530, Mohan Radhakrishnan wrote:
> > I do have a trustore into which I have imported the server
> > certificate. I
> > set a system property and use it.
> >
> > System.setProperty("javax.net.ssl.trustStrore", "trustStore");
> >
> > JSSE should be able to use it. I think. RIght ? Don't see a problem
> > at this
> > time. Just getting some clarifications.
> >
>
> HttpClient does not take system properties into account by default. You
> need to explicitly instruct to do so when building HttpClient
> instances.
>
> Oleg
>
>
> > Thanks,
> > Mohan
> >
> > On 5 November 2017 at 03:28, Bindul Bhowmik <bindulbhowmik@gmail.com>
> > wrote:
> >
> > > Mohan,
> > >
> > > On Sat, Nov 4, 2017 at 6:01 AM, Mohan Radhakrishnan
> > > <radhakrishnan.mohan@gmail.com> wrote:
> > > > Hi,
> > > >
> > > >
> > >
> > > Let me start by mentioning that Http Client does not implement its
> > > own
> > > cyrpto algorithms or SSL/TLS protocols. It relies on the underlying
> > > Java JSSE implementation to create secure sockets. And unless you
> > > have
> > > plugged in an alternate JSSE provider, you are using the JSSE
> > > implementation packaged with your JRE. Having said that, Http
> > > Client
> > > does allow some customization to the secure socket creation process
> > > using SSLConnectionSocketFactory [1]. This allows you to use an
> > > alternate trust store, host name verifier, etc.. The latter being
> > > especially valuable during development/testing, but should not be
> > > used
> > > in production IMO. To see how you can customize the SSL socket
> > > creation, please read the 'Connection management' chapter in the
> > > Http
> > > Client tutorial [2].
> > >
> > > >        I am invoking a HTTPS SOAP service and this is what I
> > > > think is
> > > > happening. It is one-way SSL. The JSSE implementation
> > > > automagically adds
> > >
> > > it
> > > > to the client's truststore and ensures that the SOAP call is
> > > > successful.
> > >
> > > I am not sure that is accurate. If the server you are targeting
> > > uses a
> > > certificate signed by one of the trusted CAs (or a CA signed by a
> > > trusted CA) in your trust store, the secure socket will be
> > > established. The client does not alter the trust store
> > > automagically,
> > > unless you have done it yourself, or are using a custom trust store
> > > (other than say the cacerts that ships with Oracle JRE).
> > >
> > > >
> > > > This question is based on this assumption.
> > > > When I read
> > > > https://www.ssl.com/guide/ssl-best-practices-a-quick-and-dirty-gu
> > > > ide/
> > >
> > > there
> > > > are various SSL exceptions and checks that
> > > > are required. I code the client. How do I trap the various
> > > > exceptions ?
> > > > Which list of exceptions should I use for SSL ?
> > >
> > > I am not sure I understand the question, but if you need to catch
> > > all
> > > exceptions, see the JSSE Reference Guide [3] on exceptions that can
> > > come from the SSL context. I guess the most important one will be
> > > javax.net.ssl.SSLException and its sub-classes. As far as I can
> > > tell,
> > > HC adds org.apache.http.conn.ssl.SSLInitializationException and of
> > > course most connect methods can throw IOException.
> > >
> > >
> > > >
> > > > How do I know the the HttpClient uses the latest security patches
> > > > in my
> > >
> > > JDK
> > > > 8 ? It should automatically be secure. Right ?
> > >
> > > As I noted above, HC is using the configured or default JSSE
> > > implementation in your JRE. If that is patched, you will be as
> > > secure
> > > as that.
> > >
> > > >
> > > > Thanks,
> > > > Mohan
> > >
> > > Regards,
> > > Bindul
> > >
> > > [1] https://hc.apache.org/httpcomponents-client-ga/
> > > httpclient/apidocs/org/apache/http/conn/ssl/SSLConnectionSocketFact
> > > ory.
> > > html
> > > [2] http://hc.apache.org/httpcomponents-client-ga/tutorial/html/
> > >
> > > -----------------------------------------------------------------
> > > ----
> > > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > > For additional commands, e-mail: httpclient-users-help@hc.apache.or
> > > g
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message