You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by George Ludwig <sf...@yahoo.com> on 2008/04/08 02:07:13 UTC
getting httpclient to trust all certs for ssl?
This seems to have come up before, but I've not been
able to find a resolution that works.
Basically, I want to trust all SSL certs. I doing web
harvesting, and I just don't care if a cert is valid,
self signed, or has valid trust chain.
I've tried a couple of solutions I found on the web,
but they don't seem to work. Does anyone have a
reliable solution to this?
The last one I tried was this:
public static void trustAllCerts() {
// Create a trust manager that does not validate
certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public
java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[]
certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[]
certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new
java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
}
I'm currently getting this exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
validation failed:
java.security.cert.CertPathValidatorException: Path
does not chain with any of the trust anchors
error!
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
at
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at
com.markmonitor.harvester.util.FetcherUtil.getContent(FetcherUtil.java:91)
at
com.markmonitor.harvester.util.FetcherUtil.getContent(FetcherUtil.java:55)
at
com.markmonitor.reports.channel.UrlProcessingDaemon.getContent(UrlProcessingDaemon.java:197)
at
com.markmonitor.reports.channel.scoring.ChannelScoringTest.readUrls(ChannelScoringTest.java:112)
at
com.markmonitor.reports.channel.scoring.ChannelScoringTest.main(ChannelScoringTest.java:55)
Caused by: sun.security.validator.ValidatorException:
PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path
does not chain with any of the trust anchors
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:148)
at
sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 21 more
Caused by:
java.security.cert.CertPathValidatorException: Path
does not chain with any of the trust anchors
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:195)
at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
... 28 more
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by George Ludwig <sf...@yahoo.com>.
Greg,
You reminded me, I'd meant to post another follow-up
on this subject.
The code example I published works, however it needs
the not-yet-commons-ssl library, which can be found
here: http://juliusdavies.ca/commons-ssl/
I'm not sure if he includes the entire contribs jar in
his jar. I don't need the contriibs jar in my
classpath for the code to work. And the contribs jar
by itself will not work.
I'm not sure what the exact issue was, but I was
getting a PKIX validation error when trying to access
this url: https://xlsoutlet.1a-shops.eu/ My guess is
that the cert is invalid for some reason, like expired
or somsuch, because even using the
EasySSLSocketFactory from the contribs jar I could not
talk with the site.
I haven't had the time to look in to this issue in
detail. All I know is that it works now.
Best,
George
--- "Moore, Greg" <Gr...@adp.com> wrote:
> Glad I was able to help George. and thanks for the
> code. your example is
> what I was actually looking for originally. :)
>
> My personal beef is that none of the examples on the
> sslguide show what
> the imports are and as you've said there are a lot
> of out dated
> examples.
> I would be nice to have a complete examples along
> the lines of...
> here are the includes you need for the examples
> below
> if you want to accept everything... [full code
> example]
> if you want to check certs... [full code example]
> if you want to be really paranoid and check
> everything ... [full code
> example]
>
> Especially for people, like me, that have never done
> programming using
> https it would be helpful. But I'm using Jython so
> maybe I just look at
> thing differently :)
>
> Greg.
>
> -----Original Message-----
> From: George Ludwig [mailto:sfmissionman@yahoo.com]
> Sent: Tuesday, April 08, 2008 1:54 PM
> To: HttpClient User Discussion
> Subject: RE: getting httpclient to trust all certs
> for ssl?
>
> Crap, my fat fingered typing prematurely sent the
> response.
>
> Execute this at any time before the SSL session:
>
> public static void trustAllCerts() throws Exception
> {
> ProtocolSocketFactory sf=new
> EasySSLProtocolSocketFactory();
> Protocol p = new Protocol("https", sf, 443);
> Protocol.registerProtocol("https", p);
> }
>
> As a side comment, is there any reason why the
> contribs area is not included by default in the
> httpclient binary distribution? It just complicates
> my
> project management, seemingly unnecessarily.
>
> Thanks again Greg!
>
> -George
>
> --- "Moore, Greg" <Gr...@adp.com> wrote:
>
> > George,
> > Did you take a look at
> > http://hc.apache.org/httpclient-3.x/sslguide.html
> > at the EasySSLProtocolSocketFactory. there is an
> > EasySSLProtocolSocketFactory and an
> EasyTrustmanager
> > in SVN that seem to
> > do ok. of course I wouldn't use it for production.
> >
> > maybe this would help too.
> >
>
http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
> >
> >
> > Greg.
> >
> > -----Original Message-----
> > From: George Ludwig
> [mailto:sfmissionman@yahoo.com]
> > Sent: Monday, April 07, 2008 5:07 PM
> > To: HttpClient User Discussion
> > Subject: getting httpclient to trust all certs for
> > ssl?
> >
> > This seems to have come up before, but I've not
> been
> > able to find a resolution that works.
> >
> > Basically, I want to trust all SSL certs. I doing
> > web
> > harvesting, and I just don't care if a cert is
> > valid,
> > self signed, or has valid trust chain.
> >
> > I've tried a couple of solutions I found on the
> web,
> > but they don't seem to work. Does anyone have a
> > reliable solution to this?
> >
> > The last one I tried was this:
> >
> > public static void trustAllCerts() {
> > // Create a trust manager that does not validate
> > certificate chains
> > TrustManager[] trustAllCerts = new
> > TrustManager[]{
> > new X509TrustManager() {
> > public
> > java.security.cert.X509Certificate[]
> > getAcceptedIssuers() {
> > return null;
> > }
> > public void checkClientTrusted(
> >
> java.security.cert.X509Certificate[]
> > certs, String authType) {
> > }
> > public void checkServerTrusted(
> >
> java.security.cert.X509Certificate[]
> > certs, String authType) {
> > }
> > }
> > };
> >
> > // Install the all-trusting trust manager
> > try {
> > SSLContext sc =
> > SSLContext.getInstance("SSL");
> > sc.init(null, trustAllCerts, new
> > java.security.SecureRandom());
> >
> >
>
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> > } catch (Exception e) {
> > }
> > }
> >
> > I'm currently getting this exception:
> >
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX
> path
> > validation failed:
> > java.security.cert.CertPathValidatorException:
> Path
> > does not chain with any of the trust anchors
> > error!
> >
> >
> > [stack trace deleted]
> >
> >
> > This message and any attachments are intended only
> > for the use of the addressee and may contain
> > information that is privileged and confidential.
> If
> > the reader of the message is not the intended
> > recipient or an authorized representative of the
> > intended recipient, you are hereby notified that
> any
> > dissemination of this communication is strictly
> > prohibited. If you have received this
> communication
> > in error, please notify us immediately by e-mail
> and
> > delete the message and any attachments from your
> > system.
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail:
> > httpclient-users-help@hc.apache.org
> >
> >
>
>
>
>
>
________________________________________________________________________
> ____________
> You rock. That's why Blockbuster's offering you one
> month of Blockbuster
> Total Access, No Cost.
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail:
> httpclient-users-help@hc.apache.org
>
>
>
> This message and any attachments are intended only
> for the use of the addressee and may contain
> information that is privileged and confidential. If
> the reader of the message is not the intended
> recipient or an authorized representative of the
> intended
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by "Moore, Greg" <Gr...@adp.com>.
Glad I was able to help George. and thanks for the code. your example is
what I was actually looking for originally. :)
My personal beef is that none of the examples on the sslguide show what
the imports are and as you've said there are a lot of out dated
examples.
I would be nice to have a complete examples along the lines of...
here are the includes you need for the examples below
if you want to accept everything... [full code example]
if you want to check certs... [full code example]
if you want to be really paranoid and check everything ... [full code
example]
Especially for people, like me, that have never done programming using
https it would be helpful. But I'm using Jython so maybe I just look at
thing differently :)
Greg.
-----Original Message-----
From: George Ludwig [mailto:sfmissionman@yahoo.com]
Sent: Tuesday, April 08, 2008 1:54 PM
To: HttpClient User Discussion
Subject: RE: getting httpclient to trust all certs for ssl?
Crap, my fat fingered typing prematurely sent the
response.
Execute this at any time before the SSL session:
public static void trustAllCerts() throws Exception {
ProtocolSocketFactory sf=new
EasySSLProtocolSocketFactory();
Protocol p = new Protocol("https", sf, 443);
Protocol.registerProtocol("https", p);
}
As a side comment, is there any reason why the
contribs area is not included by default in the
httpclient binary distribution? It just complicates my
project management, seemingly unnecessarily.
Thanks again Greg!
-George
--- "Moore, Greg" <Gr...@adp.com> wrote:
> George,
> Did you take a look at
> http://hc.apache.org/httpclient-3.x/sslguide.html
> at the EasySSLProtocolSocketFactory. there is an
> EasySSLProtocolSocketFactory and an EasyTrustmanager
> in SVN that seem to
> do ok. of course I wouldn't use it for production.
>
> maybe this would help too.
>
http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
>
>
> Greg.
>
> -----Original Message-----
> From: George Ludwig [mailto:sfmissionman@yahoo.com]
> Sent: Monday, April 07, 2008 5:07 PM
> To: HttpClient User Discussion
> Subject: getting httpclient to trust all certs for
> ssl?
>
> This seems to have come up before, but I've not been
> able to find a resolution that works.
>
> Basically, I want to trust all SSL certs. I doing
> web
> harvesting, and I just don't care if a cert is
> valid,
> self signed, or has valid trust chain.
>
> I've tried a couple of solutions I found on the web,
> but they don't seem to work. Does anyone have a
> reliable solution to this?
>
> The last one I tried was this:
>
> public static void trustAllCerts() {
> // Create a trust manager that does not validate
> certificate chains
> TrustManager[] trustAllCerts = new
> TrustManager[]{
> new X509TrustManager() {
> public
> java.security.cert.X509Certificate[]
> getAcceptedIssuers() {
> return null;
> }
> public void checkClientTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> public void checkServerTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> }
> };
>
> // Install the all-trusting trust manager
> try {
> SSLContext sc =
> SSLContext.getInstance("SSL");
> sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
>
>
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> } catch (Exception e) {
> }
> }
>
> I'm currently getting this exception:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path
> validation failed:
> java.security.cert.CertPathValidatorException: Path
> does not chain with any of the trust anchors
> error!
>
>
> [stack trace deleted]
>
>
> This message and any attachments are intended only
> for the use of the addressee and may contain
> information that is privileged and confidential. If
> the reader of the message is not the intended
> recipient or an authorized representative of the
> intended recipient, you are hereby notified that any
> dissemination of this communication is strictly
> prohibited. If you have received this communication
> in error, please notify us immediately by e-mail and
> delete the message and any attachments from your
> system.
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail:
> httpclient-users-help@hc.apache.org
>
>
________________________________________________________________________
____________
You rock. That's why Blockbuster's offering you one month of Blockbuster
Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by George Ludwig <sf...@yahoo.com>.
Thanks a lot Greg! There's a fair amount of info on
this subject floating around, unfortunately most of it
is out of date and it's hard to find a solid example.
If anyone else is looking for an answer to this, the
following code is the solution:
public static void trustAllCerts() throws Exception {
ProtocolSocketFactory sf=new
EasySSLProtocolSocketFactory();
Protocol p = new Protocol("https", sf, 443);
Protocol.registerProtocol("https", p);
}
--- "Moore, Greg" <Gr...@adp.com> wrote:
> George,
> Did you take a look at
> http://hc.apache.org/httpclient-3.x/sslguide.html
> at the EasySSLProtocolSocketFactory. there is an
> EasySSLProtocolSocketFactory and an EasyTrustmanager
> in SVN that seem to
> do ok. of course I wouldn't use it for production.
>
> maybe this would help too.
>
http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
>
>
> Greg.
>
> -----Original Message-----
> From: George Ludwig [mailto:sfmissionman@yahoo.com]
> Sent: Monday, April 07, 2008 5:07 PM
> To: HttpClient User Discussion
> Subject: getting httpclient to trust all certs for
> ssl?
>
> This seems to have come up before, but I've not been
> able to find a resolution that works.
>
> Basically, I want to trust all SSL certs. I doing
> web
> harvesting, and I just don't care if a cert is
> valid,
> self signed, or has valid trust chain.
>
> I've tried a couple of solutions I found on the web,
> but they don't seem to work. Does anyone have a
> reliable solution to this?
>
> The last one I tried was this:
>
> public static void trustAllCerts() {
> // Create a trust manager that does not validate
> certificate chains
> TrustManager[] trustAllCerts = new
> TrustManager[]{
> new X509TrustManager() {
> public
> java.security.cert.X509Certificate[]
> getAcceptedIssuers() {
> return null;
> }
> public void checkClientTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> public void checkServerTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> }
> };
>
> // Install the all-trusting trust manager
> try {
> SSLContext sc =
> SSLContext.getInstance("SSL");
> sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
>
>
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> } catch (Exception e) {
> }
> }
>
> I'm currently getting this exception:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path
> validation failed:
> java.security.cert.CertPathValidatorException: Path
> does not chain with any of the trust anchors
> error!
>
>
> [stack trace deleted]
>
>
> This message and any attachments are intended only
> for the use of the addressee and may contain
> information that is privileged and confidential. If
> the reader of the message is not the intended
> recipient or an authorized representative of the
> intended recipient, you are hereby notified that any
> dissemination of this communication is strictly
> prohibited. If you have received this communication
> in error, please notify us immediately by e-mail and
> delete the message and any attachments from your
> system.
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail:
> httpclient-users-help@hc.apache.org
>
>
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2008-04-08 at 13:53 -0700, George Ludwig wrote:
> Crap, my fat fingered typing prematurely sent the
> response.
>
> Execute this at any time before the SSL session:
>
> public static void trustAllCerts() throws Exception {
> ProtocolSocketFactory sf=new
> EasySSLProtocolSocketFactory();
> Protocol p = new Protocol("https", sf, 443);
> Protocol.registerProtocol("https", p);
> }
>
> As a side comment, is there any reason why the
> contribs area is not included by default in the
> httpclient binary distribution? It just complicates my
> project management, seemingly unnecessarily.
>
Because it is not officially supported. The contrib code is provided as
reference material only. The users of that code are expected to review
it thoroughly and make adjustments they deem necessary.
Oleg
> Thanks again Greg!
>
> -George
>
> --- "Moore, Greg" <Gr...@adp.com> wrote:
>
> > George,
> > Did you take a look at
> > http://hc.apache.org/httpclient-3.x/sslguide.html
> > at the EasySSLProtocolSocketFactory. there is an
> > EasySSLProtocolSocketFactory and an EasyTrustmanager
> > in SVN that seem to
> > do ok. of course I wouldn't use it for production.
> >
> > maybe this would help too.
> >
> http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
> >
> >
> > Greg.
> >
> > -----Original Message-----
> > From: George Ludwig [mailto:sfmissionman@yahoo.com]
> > Sent: Monday, April 07, 2008 5:07 PM
> > To: HttpClient User Discussion
> > Subject: getting httpclient to trust all certs for
> > ssl?
> >
> > This seems to have come up before, but I've not been
> > able to find a resolution that works.
> >
> > Basically, I want to trust all SSL certs. I doing
> > web
> > harvesting, and I just don't care if a cert is
> > valid,
> > self signed, or has valid trust chain.
> >
> > I've tried a couple of solutions I found on the web,
> > but they don't seem to work. Does anyone have a
> > reliable solution to this?
> >
> > The last one I tried was this:
> >
> > public static void trustAllCerts() {
> > // Create a trust manager that does not validate
> > certificate chains
> > TrustManager[] trustAllCerts = new
> > TrustManager[]{
> > new X509TrustManager() {
> > public
> > java.security.cert.X509Certificate[]
> > getAcceptedIssuers() {
> > return null;
> > }
> > public void checkClientTrusted(
> > java.security.cert.X509Certificate[]
> > certs, String authType) {
> > }
> > public void checkServerTrusted(
> > java.security.cert.X509Certificate[]
> > certs, String authType) {
> > }
> > }
> > };
> >
> > // Install the all-trusting trust manager
> > try {
> > SSLContext sc =
> > SSLContext.getInstance("SSL");
> > sc.init(null, trustAllCerts, new
> > java.security.SecureRandom());
> >
> >
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> > } catch (Exception e) {
> > }
> > }
> >
> > I'm currently getting this exception:
> >
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path
> > validation failed:
> > java.security.cert.CertPathValidatorException: Path
> > does not chain with any of the trust anchors
> > error!
> >
> >
> > [stack trace deleted]
> >
> >
> > This message and any attachments are intended only
> > for the use of the addressee and may contain
> > information that is privileged and confidential. If
> > the reader of the message is not the intended
> > recipient or an authorized representative of the
> > intended recipient, you are hereby notified that any
> > dissemination of this communication is strictly
> > prohibited. If you have received this communication
> > in error, please notify us immediately by e-mail and
> > delete the message and any attachments from your
> > system.
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail:
> > httpclient-users-help@hc.apache.org
> >
> >
>
>
>
> ____________________________________________________________________________________
> You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
> http://tc.deals.yahoo.com/tc/blockbuster/text5.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by George Ludwig <sf...@yahoo.com>.
Crap, my fat fingered typing prematurely sent the
response.
Execute this at any time before the SSL session:
public static void trustAllCerts() throws Exception {
ProtocolSocketFactory sf=new
EasySSLProtocolSocketFactory();
Protocol p = new Protocol("https", sf, 443);
Protocol.registerProtocol("https", p);
}
As a side comment, is there any reason why the
contribs area is not included by default in the
httpclient binary distribution? It just complicates my
project management, seemingly unnecessarily.
Thanks again Greg!
-George
--- "Moore, Greg" <Gr...@adp.com> wrote:
> George,
> Did you take a look at
> http://hc.apache.org/httpclient-3.x/sslguide.html
> at the EasySSLProtocolSocketFactory. there is an
> EasySSLProtocolSocketFactory and an EasyTrustmanager
> in SVN that seem to
> do ok. of course I wouldn't use it for production.
>
> maybe this would help too.
>
http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
>
>
> Greg.
>
> -----Original Message-----
> From: George Ludwig [mailto:sfmissionman@yahoo.com]
> Sent: Monday, April 07, 2008 5:07 PM
> To: HttpClient User Discussion
> Subject: getting httpclient to trust all certs for
> ssl?
>
> This seems to have come up before, but I've not been
> able to find a resolution that works.
>
> Basically, I want to trust all SSL certs. I doing
> web
> harvesting, and I just don't care if a cert is
> valid,
> self signed, or has valid trust chain.
>
> I've tried a couple of solutions I found on the web,
> but they don't seem to work. Does anyone have a
> reliable solution to this?
>
> The last one I tried was this:
>
> public static void trustAllCerts() {
> // Create a trust manager that does not validate
> certificate chains
> TrustManager[] trustAllCerts = new
> TrustManager[]{
> new X509TrustManager() {
> public
> java.security.cert.X509Certificate[]
> getAcceptedIssuers() {
> return null;
> }
> public void checkClientTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> public void checkServerTrusted(
> java.security.cert.X509Certificate[]
> certs, String authType) {
> }
> }
> };
>
> // Install the all-trusting trust manager
> try {
> SSLContext sc =
> SSLContext.getInstance("SSL");
> sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
>
>
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> } catch (Exception e) {
> }
> }
>
> I'm currently getting this exception:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path
> validation failed:
> java.security.cert.CertPathValidatorException: Path
> does not chain with any of the trust anchors
> error!
>
>
> [stack trace deleted]
>
>
> This message and any attachments are intended only
> for the use of the addressee and may contain
> information that is privileged and confidential. If
> the reader of the message is not the intended
> recipient or an authorized representative of the
> intended recipient, you are hereby notified that any
> dissemination of this communication is strictly
> prohibited. If you have received this communication
> in error, please notify us immediately by e-mail and
> delete the message and any attachments from your
> system.
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail:
> httpclient-users-help@hc.apache.org
>
>
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: getting httpclient to trust all certs for ssl?
Posted by "Moore, Greg" <Gr...@adp.com>.
George,
Did you take a look at http://hc.apache.org/httpclient-3.x/sslguide.html
at the EasySSLProtocolSocketFactory. there is an
EasySSLProtocolSocketFactory and an EasyTrustmanager in SVN that seem to
do ok. of course I wouldn't use it for production.
maybe this would help too.
http://www.matthewekent.com/2007/09/httpclient-ssl-support-how-to-.html
Greg.
-----Original Message-----
From: George Ludwig [mailto:sfmissionman@yahoo.com]
Sent: Monday, April 07, 2008 5:07 PM
To: HttpClient User Discussion
Subject: getting httpclient to trust all certs for ssl?
This seems to have come up before, but I've not been
able to find a resolution that works.
Basically, I want to trust all SSL certs. I doing web
harvesting, and I just don't care if a cert is valid,
self signed, or has valid trust chain.
I've tried a couple of solutions I found on the web,
but they don't seem to work. Does anyone have a
reliable solution to this?
The last one I tried was this:
public static void trustAllCerts() {
// Create a trust manager that does not validate
certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public
java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[]
certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[]
certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new
java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
}
I'm currently getting this exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
validation failed:
java.security.cert.CertPathValidatorException: Path
does not chain with any of the trust anchors
error!
[stack trace deleted]
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org