You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Jason Novotny <no...@aei.mpg.de> on 2005/03/18 19:46:45 UTC
using SSL and trusted certs
Hi,
I'm just trying to connect to Tomcat manager webapp over HTTPS:
https://devportal.nersc.gov:11443/manager/list
The webserver has its own certificate with 2 other certs in the chain. I
thought by adding the 3 certs to my JDK keystore, it would work, so I
tried importing them via keytool:
keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
-keystore /usr/java/jre/lib/security/cacerts
and when I do keytool -list -v -keystore
/usr/java/jre/lib/security/cacerts I see they are all there. However,
my application still gives me the following:
core.registry.impl.tomcat.TomcatManagerWrapper - connecting to URL
https://devportal.nersc.gov:11443/manager/list
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
....
This is java version "1.4.2_03" on Linux. Has anyone succesully used
httpclient SSL with their own trusted certs?
Thanks, Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: using SSL and trusted certs
Posted by Jason Novotny <no...@aei.mpg.de>.
I'm getting a little further-- since my app is running in Tomcat, I
set JAVA_OPTS to "-Djavax.net.debug=all" which tells me everything
including the fact that my certs are being loaded. However, Apache does
not appear to be configured to pass the entire cert chain, so I wonder
if that's the problem.
Jason
Michael Becke wrote:
>Adding the certs to your keystore should work, but it appears not to
>for some reason. I suggest running the Troubleshooting code from
><http://jakarta.apache.org/commons/httpclient/sslguide.html> to see if
>the problem is with JSSE or HttpClient. If it's with JSSE I won't
>have much to add other than to have a look at their docs
><http://java.sun.com/products/jsse/index.jsp> for some insight.
>
>Mike
>
>
>On Fri, 18 Mar 2005 13:58:37 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
>
>
>>Hi Mike,
>>
>> Thanks-- I checked that page out and found nothing of usefulness.
>>The problem with that approach is I want to ship out some code that
>>anyone can use, so it shouldn't have to reference a particular
>>keystore-- the deployment of their particular trusted certs is an
>>orthogonal issue.
>>
>>The example found at
>>http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/branches/HTTPCLIENT_2_0_BRANCH/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>>
>>shows how one would have to do the following:
>>
>>Protocol authhttps = new Protocol("https",
>> * new AuthSSLProtocolSocketFactory(
>> * new URL("file:my.keystore"), "mypassword",
>> * new URL("file:my.truststore"), "mypassword"), 443);
>>
>>This hardcoding of keystores and paths simply won't work in my situation.
>>
>> I was led to believe that adding the certs into the standard
>>trusted certs location which I believe is
>>$JAVA_HOME/jre/lib/security/cacerts should be the right approach-- I'm
>>just wondering why it's not working-- is there a flag for more verbose
>>JSSE logging-- so at least I can be sure what cacerts it is checking?
>>
>> Thanks, Jason
>>
>>
>>Michael Becke wrote:
>>
>>
>>
>>>Hi Jason,
>>>
>>>HttpClient uses JSSE which works with self signed certs. Please have
>>>a look at the HttpClient SSL page for some troubleshooting ideas
>>><http://jakarta.apache.org/commons/httpclient/sslguide.html>.
>>>
>>>Mike
>>>
>>>
>>>On Fri, 18 Mar 2005 10:46:45 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
>>>
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>> I'm just trying to connect to Tomcat manager webapp over HTTPS:
>>>>
>>>>https://devportal.nersc.gov:11443/manager/list
>>>>
>>>>The webserver has its own certificate with 2 other certs in the chain. I
>>>>thought by adding the 3 certs to my JDK keystore, it would work, so I
>>>>tried importing them via keytool:
>>>>
>>>>keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
>>>>-keystore /usr/java/jre/lib/security/cacerts
>>>>
>>>>and when I do keytool -list -v -keystore
>>>>/usr/java/jre/lib/security/cacerts I see they are all there. However,
>>>>my application still gives me the following:
>>>>
>>>>core.registry.impl.tomcat.TomcatManagerWrapper - connecting to URL
>>>>https://devportal.nersc.gov:11443/manager/list
>>>>javax.net.ssl.SSLHandshakeException:
>>>>sun.security.validator.ValidatorException: No trusted certificate found
>>>> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>>>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>>>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>>>> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
>>>>
>>>>....
>>>>
>>>>This is java version "1.4.2_03" on Linux. Has anyone succesully used
>>>>httpclient SSL with their own trusted certs?
>>>>
>>>> Thanks, Jason
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: using SSL and trusted certs
Posted by Michael Becke <mb...@gmail.com>.
Adding the certs to your keystore should work, but it appears not to
for some reason. I suggest running the Troubleshooting code from
<http://jakarta.apache.org/commons/httpclient/sslguide.html> to see if
the problem is with JSSE or HttpClient. If it's with JSSE I won't
have much to add other than to have a look at their docs
<http://java.sun.com/products/jsse/index.jsp> for some insight.
Mike
On Fri, 18 Mar 2005 13:58:37 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
>
> Hi Mike,
>
> Thanks-- I checked that page out and found nothing of usefulness.
> The problem with that approach is I want to ship out some code that
> anyone can use, so it shouldn't have to reference a particular
> keystore-- the deployment of their particular trusted certs is an
> orthogonal issue.
>
> The example found at
> http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/branches/HTTPCLIENT_2_0_BRANCH/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
>
> shows how one would have to do the following:
>
> Protocol authhttps = new Protocol("https",
> * new AuthSSLProtocolSocketFactory(
> * new URL("file:my.keystore"), "mypassword",
> * new URL("file:my.truststore"), "mypassword"), 443);
>
> This hardcoding of keystores and paths simply won't work in my situation.
>
> I was led to believe that adding the certs into the standard
> trusted certs location which I believe is
> $JAVA_HOME/jre/lib/security/cacerts should be the right approach-- I'm
> just wondering why it's not working-- is there a flag for more verbose
> JSSE logging-- so at least I can be sure what cacerts it is checking?
>
> Thanks, Jason
>
>
> Michael Becke wrote:
>
> >Hi Jason,
> >
> >HttpClient uses JSSE which works with self signed certs. Please have
> >a look at the HttpClient SSL page for some troubleshooting ideas
> ><http://jakarta.apache.org/commons/httpclient/sslguide.html>.
> >
> >Mike
> >
> >
> >On Fri, 18 Mar 2005 10:46:45 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
> >
> >
> >>Hi,
> >>
> >> I'm just trying to connect to Tomcat manager webapp over HTTPS:
> >>
> >>https://devportal.nersc.gov:11443/manager/list
> >>
> >>The webserver has its own certificate with 2 other certs in the chain. I
> >>thought by adding the 3 certs to my JDK keystore, it would work, so I
> >>tried importing them via keytool:
> >>
> >>keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
> >>-keystore /usr/java/jre/lib/security/cacerts
> >>
> >>and when I do keytool -list -v -keystore
> >>/usr/java/jre/lib/security/cacerts I see they are all there. However,
> >>my application still gives me the following:
> >>
> >>core.registry.impl.tomcat.TomcatManagerWrapper - connecting to URL
> >>https://devportal.nersc.gov:11443/manager/list
> >>javax.net.ssl.SSLHandshakeException:
> >>sun.security.validator.ValidatorException: No trusted certificate found
> >> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> >> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
> >>
> >>....
> >>
> >>This is java version "1.4.2_03" on Linux. Has anyone succesully used
> >>httpclient SSL with their own trusted certs?
> >>
> >> Thanks, Jason
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> >>
> >>
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: using SSL and trusted certs
Posted by Jason Novotny <no...@aei.mpg.de>.
Hi Mike,
Thanks-- I checked that page out and found nothing of usefulness.
The problem with that approach is I want to ship out some code that
anyone can use, so it shouldn't have to reference a particular
keystore-- the deployment of their particular trusted certs is an
orthogonal issue.
The example found at
http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/branches/HTTPCLIENT_2_0_BRANCH/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java?view=markup
shows how one would have to do the following:
Protocol authhttps = new Protocol("https",
* new AuthSSLProtocolSocketFactory(
* new URL("file:my.keystore"), "mypassword",
* new URL("file:my.truststore"), "mypassword"), 443);
This hardcoding of keystores and paths simply won't work in my situation.
I was led to believe that adding the certs into the standard
trusted certs location which I believe is
$JAVA_HOME/jre/lib/security/cacerts should be the right approach-- I'm
just wondering why it's not working-- is there a flag for more verbose
JSSE logging-- so at least I can be sure what cacerts it is checking?
Thanks, Jason
Michael Becke wrote:
>Hi Jason,
>
>HttpClient uses JSSE which works with self signed certs. Please have
>a look at the HttpClient SSL page for some troubleshooting ideas
><http://jakarta.apache.org/commons/httpclient/sslguide.html>.
>
>Mike
>
>
>On Fri, 18 Mar 2005 10:46:45 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
>
>
>>Hi,
>>
>> I'm just trying to connect to Tomcat manager webapp over HTTPS:
>>
>>https://devportal.nersc.gov:11443/manager/list
>>
>>The webserver has its own certificate with 2 other certs in the chain. I
>>thought by adding the 3 certs to my JDK keystore, it would work, so I
>>tried importing them via keytool:
>>
>>keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
>>-keystore /usr/java/jre/lib/security/cacerts
>>
>>and when I do keytool -list -v -keystore
>>/usr/java/jre/lib/security/cacerts I see they are all there. However,
>>my application still gives me the following:
>>
>>core.registry.impl.tomcat.TomcatManagerWrapper - connecting to URL
>>https://devportal.nersc.gov:11443/manager/list
>>javax.net.ssl.SSLHandshakeException:
>>sun.security.validator.ValidatorException: No trusted certificate found
>> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
>>
>>....
>>
>>This is java version "1.4.2_03" on Linux. Has anyone succesully used
>>httpclient SSL with their own trusted certs?
>>
>> Thanks, Jason
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: using SSL and trusted certs
Posted by Michael Becke <mb...@gmail.com>.
Hi Jason,
HttpClient uses JSSE which works with self signed certs. Please have
a look at the HttpClient SSL page for some troubleshooting ideas
<http://jakarta.apache.org/commons/httpclient/sslguide.html>.
Mike
On Fri, 18 Mar 2005 10:46:45 -0800, Jason Novotny <no...@aei.mpg.de> wrote:
>
> Hi,
>
> I'm just trying to connect to Tomcat manager webapp over HTTPS:
>
> https://devportal.nersc.gov:11443/manager/list
>
> The webserver has its own certificate with 2 other certs in the chain. I
> thought by adding the 3 certs to my JDK keystore, it would work, so I
> tried importing them via keytool:
>
> keytool -import -v -trustcacerts -alias trustcert{1,3} -file cert{1,3}
> -keystore /usr/java/jre/lib/security/cacerts
>
> and when I do keytool -list -v -keystore
> /usr/java/jre/lib/security/cacerts I see they are all there. However,
> my application still gives me the following:
>
> core.registry.impl.tomcat.TomcatManagerWrapper - connecting to URL
> https://devportal.nersc.gov:11443/manager/list
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found
> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
>
> ....
>
> This is java version "1.4.2_03" on Linux. Has anyone succesully used
> httpclient SSL with their own trusted certs?
>
> Thanks, Jason
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org