You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Thomas Bley <th...@simple-groupware.de> on 2007/06/03 00:50:13 UTC
SSL Problems with HttpClient
Hello all,
for those who have SSL problems with certificates from e.g. cacert.org:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I used the code from:
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup
But in the code there is (EasyX509TrustManager.java):
if ((certificates != null) && (certificates.length == 1)) {
certificates[0].checkValidity();
} else {
standardTrustManager.checkServerTrusted(certificates,authType);
}
If you self-sign the certificate this is ok, but if you use certificates
from e.g. cacert.org you'll still get errors because there are 2
certificates to validate, therefore
modify EasyX509TrustManager.java:
if (certificates != null) {
for (int i=0; i < certificates.length; i++) {
// System.out.println("Subject: "+certificates[i].getSubjectDN());
// System.out.println("Issuer: "+certificates[i].getIssuerDN());
// System.out.println("Not after: "+certificates[i].getNotAfter());
// System.out.println("Not before: "+certificates[i].getNotBefore());
certificates[i].checkValidity();
// System.out.println("----");
}
} else { // check Java's keystore
standardTrustManager.checkServerTrusted(certificates,authType);
}
The final code looks similar to this:
Protocol.registerProtocol("https", new
Protocol("https",(ProtocolSocketFactory)new
EasySSLProtocolSocketFactory(), 443));
HttpClient client = new HttpClient();
client.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new
DefaultHttpMethodRetryHandler(2, true));
client.getHttpConnectionManager().getParams().setConnectionTimeout(5000);
GetMethod get = new GetMethod(url);
Maybe someone can add this to the SSL Guide
(http://jakarta.apache.org/commons/httpclient/sslguide.html).
Regards,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL Problems with HttpClient
Posted by Roland Weber <RO...@de.ibm.com>.
Contay <co...@gmail.com> wrote on 03.06.2007 20:59:02:
> was this message mean for someone else?
No, this message was for everybody who is subscribed
to the httpcomponents-user list.
cheers,
Roland
Re: SSL Problems with HttpClient
Posted by Contay <co...@gmail.com>.
was this message mean for someone else?
On 6/3/07, Roland Weber <os...@dubioso.net> wrote:
>
> Hello Thomas,
>
> thanks for sharing this information.
>
> > But in the code there is (EasyX509TrustManager.java):
> >
> > if ((certificates != null) && (certificates.length == 1)) {
> > certificates[0].checkValidity();
> > } else {
> > standardTrustManager.checkServerTrusted(certificates,authType);
> > }
> >
> > If you self-sign the certificate this is ok, but if you use certificates
> > from e.g. cacert.org you'll still get errors because there are 2
> > certificates to validate
>
> The EasyX509TrustManager is specifically meant to be used in
> test and development environments, that is with self-signed
> toy certificates. If you have real certificates, you should
> use a real trust manager instead of EasyXTM. Take a look at
> AuthSSLX509TrustManager, it does loop over certificates:
>
>
> http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLX509TrustManager.java?view=markup
>
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
Re: SSL Problems with HttpClient
Posted by Roland Weber <os...@dubioso.net>.
Hello Thomas,
thanks for sharing this information.
> But in the code there is (EasyX509TrustManager.java):
>
> if ((certificates != null) && (certificates.length == 1)) {
> certificates[0].checkValidity();
> } else {
> standardTrustManager.checkServerTrusted(certificates,authType);
> }
>
> If you self-sign the certificate this is ok, but if you use certificates
> from e.g. cacert.org you'll still get errors because there are 2
> certificates to validate
The EasyX509TrustManager is specifically meant to be used in
test and development environments, that is with self-signed
toy certificates. If you have real certificates, you should
use a real trust manager instead of EasyXTM. Take a look at
AuthSSLX509TrustManager, it does loop over certificates:
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLX509TrustManager.java?view=markup
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org