You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Sebastiano Vigna <vi...@di.unimi.it> on 2013/11/11 18:51:43 UTC

Self-signed SSL certificates

Question: what is the suggested way to accept self-signed SSL certificates with the present version of the client? There used to be some examples floating around but maybe something has changed in the mean time...

Ciao,

					seba


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Self-signed SSL certificates

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Tue, 2013-11-12 at 10:41 +0100, Sebastiano Vigna wrote:
> On 12 Nov 2013, at 10:35 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
> 
> > spawns (at least in recent Oracle's JREs) which again seems to suggest
> > its code being reentrant and thread safe.  
> 
> 
> Thanks. Note that, in line with several other strategies in HTTP Core/Client, TrustSelfSignedStrategy could be a singleton with a static public INSTANCE field.
> 

True. Feel free to raise an improvement request in JIRA.

Oleg 



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Self-signed SSL certificates

Posted by Sebastiano Vigna <vi...@di.unimi.it>.

On 12 Nov 2013, at 10:35 AM, Oleg Kalnichevski <ol...@apache.org> wrote:

> spawns (at least in recent Oracle's JREs) which again seems to suggest
> its code being reentrant and thread safe.  

Thanks. Note that, in line with several other strategies in HTTP Core/Client, TrustSelfSignedStrategy could be a singleton with a static public INSTANCE field.

Ciao,

					seba

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Self-signed SSL certificates

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Tue, 2013-11-12 at 00:43 +0100, Sebastiano Vigna wrote:
> On 11 Nov 2013, at 9:29 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> 
> > ---
> > SSLContext sslcontext = SSLContexts.custom()
> >        .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();
> > CloseableHttpClient client = HttpClients.custom()
> >        .setSslcontext(sslcontext)
> >        .build();
> > ---
> 
> 
> I know this is not tecnically an HTTP Client question, but can SSLContext objects be shared between HTTP clients? TrustSelfSignedStrategy is stateless, so it can be shared, but it is really not clear from Java's documentation whether the SSLContext object is stateless.
> 

I once spent a considerable amount of time trying to find out whether or
not SSLContext instances are reentrant and thread safe. I did not manage
to have found an explicit statement to that effect in Oracle
documentation. Just looking at the Oracle's implementation of the class
it appears that access to _some_ of its internals is synchronized.
Moreover SSLContext instance is shared by all socket factories that it
spawns (at least in recent Oracle's JREs) which again seems to suggest
its code being reentrant and thread safe.  

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Self-signed SSL certificates

Posted by Sebastiano Vigna <vi...@di.unimi.it>.

On 11 Nov 2013, at 9:29 PM, Oleg Kalnichevski <ol...@apache.org> wrote:

> ---
> SSLContext sslcontext = SSLContexts.custom()
>        .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();
> CloseableHttpClient client = HttpClients.custom()
>        .setSslcontext(sslcontext)
>        .build();
> ---

I know this is not tecnically an HTTP Client question, but can SSLContext objects be shared between HTTP clients? TrustSelfSignedStrategy is stateless, so it can be shared, but it is really not clear from Java's documentation whether the SSLContext object is stateless.

Ciao,

					seba

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Self-signed SSL certificates

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Mon, 2013-11-11 at 18:51 +0100, Sebastiano Vigna wrote:
> Question: what is the suggested way to accept self-signed SSL certificates with the present version of the client? There used to be some examples floating around but maybe something has changed in the mean time...
> 

---
SSLContext sslcontext = SSLContexts.custom()
        .loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();
CloseableHttpClient client = HttpClients.custom()
        .setSslcontext(sslcontext)
        .build();
---

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org