tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Tomcat IBM JVM 1.4 and SSL truststores
Date Tue, 09 Sep 2003 04:40:03 GMT
It's possible to configure PureTLS (which Tomcat supports) to support
un-trusted certs.

"Jerry Birchler" <jrbirchler@comcast.net> wrote in message
news:NDBBLNCGLJEKFAGHDLIBKEKJFFAA.jrbirchler@comcast.net...
> I tried both the IBM and Sun packages. Unfortunately, neither handled
> expired or untrusted certificates. In my case, I did not care one way or
the
> other whether or not the certificate was "trusted" or not. By virtue of
> parsing or spidering a site, I was making a choice. Perhaps you have the
> same situation? If so, then this will work for you.
>
> I found the attached source on the internet somewhere, and I was able to
> successfully implement it in a core class to my html parsers and spiders.
> Here is the snippet of code that is found in that core class. The class
file
> you will need follows the snippet.
>
> import com.sun.net.ssl.HttpsURLConnection;
> //
> // it's important to use the javax flavors of these packages, the com.sun
> equivalents will not work
> //
> import javax.net.ssl.*;
> import javax.net.ssl.SSLSocketFactory;
>
> //
> // put this in you constructor...
> //
>
>
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
> w.protocol");
>
> //
> // ..... whatever code you want
> //
>       if ( blnSSL )
>       {
>         try
>         {
>           java.security.Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
>           X509TrustManager oTrustMngr = new EnlistaTrustManager();
>           TrustManager oEnlistaTrustManagers[] = {oTrustMngr};
>           SSLContext ctx = SSLContext.getInstance("SSL");
>           ctx.init(null, oEnlistaTrustManagers, null);
>           SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
>           HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
>         }
>         catch(Exception e)
>         {
>           e.printStackTrace();
>         }
>         objUC = (HttpsURLConnection)objURL.openConnection();
>       }
>       else
>       {
>         objUC = (HttpURLConnection)objURL.openConnection();
>       }
>
>
> // use your own packge. this is the class called by the snippet above.
>
> package com.efn.cmn.uihelper.urlscraper;
>
> import javax.net.ssl.X509TrustManager;
> import java.security.cert.*;
>
> //EnlistaTrustManager implements X509TrustManager and you can have the
> following code to accept ANY certificate.
>
> public class EnlistaTrustManager implements X509TrustManager
> {
>
>   EnlistaTrustManager()
>   { // constructor
> // create/load keystore
> // No need to load the keystore because it will be validated on demand.
>   }
>
>   public void checkClientTrusted(X509Certificate chain[], String authType)
> throws CertificateException
>   {
>     return;
>   }
>
> /**
> * This function is called when receiving information from the server.
> * Before accepting the info it checks that the certificates sent by the
> server
> * are valid according to this function.
> *
> * @throws CertificateException if the certificate does not meet this
peer's
> validation.
> */
>   public void checkServerTrusted(X509Certificate oaChain[], String
> sAuthType) throws CertificateException
>   {
> // special handling such as poping dialog boxes
>
> // Certificate is valid.
>     return;
>   }
>
>   /**
>    * Returns the valid or accepted issuers. Currently this function
returns
> one empty
>    * certificate. The validation is done in checkServerTrusted function.
>    */
>
>   public X509Certificate[] getAcceptedIssuers() {
>     return new X509Certificate[0];
>   }
>
>   public boolean isServerTrusted(X509Certificate oaChain[], String
> sAuthType) throws CertificateException
>   {
>     return true;
>   }
> }
>
> -----Original Message-----
> From: McClure, Timothy J(IndSys, GE Interlogix)
> [mailto:Tim.McClure@ge.com]
> Sent: Monday, September 08, 2003 10:01 AM
> To: Tomcat Users List; McClure, Timothy J(IndSys, GE Interlogix)
> Subject: Tomcat IBM JVM 1.4 and SSL truststores
>
>
> I am trying to use client SSL sockets connections running underneath
Tomcat
> on AIX with IBM JVM 1.4.  I set the 'algorithm' key word in the server.xml
> file and this seems to work well for key store (server socket)
connections.
> However I cannot get the trust store side to work appropriately, I always
> get an I/O exception on SunX509 algorithm.  I notice in the code it
appears
> that the "SunX509" is hard coded to the TrustStoreManager.  How do I get
it
> to use IbmX509?  I set the trsutManagerType to IbmX509 through -D options
> but this also did not work.
>
> Tim
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




Mime
View raw message