You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Thomas Bley <th...@simple-groupware.de> on 2007/06/03 00:50:13 UTC

SSL Problems with HttpClient

Hello all,

for those who have SSL problems with certificates from e.g. cacert.org:
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target

I used the code from:
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup

But in the code there is (EasyX509TrustManager.java):

if ((certificates != null) && (certificates.length == 1)) {
  certificates[0].checkValidity();
} else {
  standardTrustManager.checkServerTrusted(certificates,authType);
}

If you self-sign the certificate this is ok, but if you use certificates 
from e.g. cacert.org you'll still get errors because there are 2 
certificates to validate, therefore
modify EasyX509TrustManager.java:

if (certificates != null) {
  for (int i=0; i < certificates.length; i++) {
    // System.out.println("Subject: "+certificates[i].getSubjectDN());
    // System.out.println("Issuer: "+certificates[i].getIssuerDN());
    // System.out.println("Not after: "+certificates[i].getNotAfter());
    // System.out.println("Not before: "+certificates[i].getNotBefore());
    certificates[i].checkValidity();
    // System.out.println("----");
  }
} else { // check Java's keystore
  standardTrustManager.checkServerTrusted(certificates,authType);
}


The final code looks similar to this:

  Protocol.registerProtocol("https", new 
Protocol("https",(ProtocolSocketFactory)new 
EasySSLProtocolSocketFactory(), 443));       
  HttpClient client = new HttpClient();
  client.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new 
DefaultHttpMethodRetryHandler(2, true));       
  client.getHttpConnectionManager().getParams().setConnectionTimeout(5000);
  GetMethod get = new GetMethod(url);


Maybe someone can add this to the SSL Guide 
(http://jakarta.apache.org/commons/httpclient/sslguide.html).

Regards,
Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: SSL Problems with HttpClient

Posted by Roland Weber <RO...@de.ibm.com>.

Contay <co...@gmail.com> wrote on 03.06.2007 20:59:02:

> was this message mean for someone else?

No, this message was for everybody who is subscribed
to the httpcomponents-user list.

cheers,
  Roland

Re: SSL Problems with HttpClient

Posted by Contay <co...@gmail.com>.

was this message mean for someone else?

On 6/3/07, Roland Weber <os...@dubioso.net> wrote:
>
> Hello Thomas,
>
> thanks for sharing this information.
>
> > But in the code there is (EasyX509TrustManager.java):
> >
> > if ((certificates != null) && (certificates.length == 1)) {
> >  certificates[0].checkValidity();
> > } else {
> >  standardTrustManager.checkServerTrusted(certificates,authType);
> > }
> >
> > If you self-sign the certificate this is ok, but if you use certificates
> > from e.g. cacert.org you'll still get errors because there are 2
> > certificates to validate
>
> The EasyX509TrustManager is specifically meant to be used in
> test and development environments, that is with self-signed
> toy certificates. If you have real certificates, you should
> use a real trust manager instead of EasyXTM. Take a look at
> AuthSSLX509TrustManager, it does loop over certificates:
>
>
> http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLX509TrustManager.java?view=markup
>
>
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>

Re: SSL Problems with HttpClient

Posted by Roland Weber <os...@dubioso.net>.

Hello Thomas,

thanks for sharing this information.

> But in the code there is (EasyX509TrustManager.java):
> 
> if ((certificates != null) && (certificates.length == 1)) {
>  certificates[0].checkValidity();
> } else {
>  standardTrustManager.checkServerTrusted(certificates,authType);
> }
> 
> If you self-sign the certificate this is ok, but if you use certificates
> from e.g. cacert.org you'll still get errors because there are 2
> certificates to validate

The EasyX509TrustManager is specifically meant to be used in
test and development environments, that is with self-signed
toy certificates. If you have real certificates, you should
use a real trust manager instead of EasyXTM. Take a look at
AuthSSLX509TrustManager, it does loop over certificates:

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLX509TrustManager.java?view=markup


cheers,
  Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org