You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Partha Venkatavaradhan (pavenkat)" <pa...@cisco.com> on 2008/12/05 20:49:20 UTC
RE: Certificate Validation
Is it mandatory that I call Protocol.registerProtocol(). Because I have the following lines in my code:
Protocol https = new Protocol("https", new StrictSSLProtocolSocketFactory(), port);
//Protocol.registerProtocol("https", https);
client.getHostConfiguration().setHost(url.getHost(), url.getPort(), https);
The above code on Windows, doesn't perform the Hostname verification. Only if I uncomment the call to registerProtocol, the hostname verification is called. But on my target linux (IBM JRE), this call to registerProtocol results in 'Peer not verified' exception.
Thanks in advance,
Partha
-----Original Message-----
From: Partha Venkatavaradhan (pavenkat)
Sent: Wednesday, November 26, 2008 12:02 PM
To: HttpComponents Project
Subject: RE: Certificate Validation
Hi,
Looks like after I included the StrictSSLProtocolSocketFactory, now even a valid certificate like Thawte is declared as 'Peer not verfied'. This however works on a Windows machine. I am testing it on a Java ME edition and there it fails. Any clues?
Thanks,
Partha
-----Original Message-----
From: Ortwin Glück [mailto:odi@odi.ch]
Sent: Tuesday, November 18, 2008 1:34 AM
To: HttpComponents Project
Subject: Re: Certificate Validation
Hi Partha,
Please have a look at
http://hc.apache.org/httpclient-3.x/sslguide.html
and especially then
StrictSSLProtocolSocketFactory which is referenced there.
Cheers,
Ortwin
Partha Venkatavaradhan (pavenkat) wrote:
> Hi,
>
>
>
> I am running a tomcat server that has a valid certificate from Thwate.
> In my HTTP client code I am letting the library handle the SSL
> validation and I am not using any custom trust validation. Now,
> everything works fine but the problem is precisely this. It works fine
> even when if I specify the IP address of the server in the URL. Since
> the certificate is signed against my server's domain name, if I access
> the URL with IP address I expect the library to throw exception as the
> domain names doesn't match. This is what precisely happens when I try
> to access the server from a browser by typing the server's IP address
> instead of the domain name. I get a warning message stating that the
> domain name and the URL that I entered doesn't match.
>
>
>
> Is there any way I let the library explicitly validate the domain name
> and throw me an exception in case it detects a mismatch?
>
>
>
> Thanks,
>
> Partha
>
>
--
[web] http://www.odi.ch/
[blog] http://www.odi.ch/weblog/
[pgp] key 0x81CF3416
finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: Certificate Validation
Posted by Oleg Kalnichevski <ol...@apache.org>.
Partha Venkatavaradhan (pavenkat) wrote:
> Hi Oleg,
>
> Thanks for your response. I was using relative path. I got the following exception thrown with debug turned on. Its throwing exception on session.getPeerCertificates() line, same exception if I use getCertificateChain() method. Is there anything that I am missing here.
>
Partha,
This problem has nothing to do with the hostname verification. The
SSLPeerUnverifiedException was thrown because the identity of the server
could not be verified. Apparently the SSL context was not correctly set up.
Trust verification and hostname verification are not the same thing.
Oleg
>
> **********************************************************************************************************
> enter GetMethod(String) at [2008-12-08 11:07:04,893] (org.apache.commons.httpclient.methods.GetMethod)
> Set parameter http.protocol.cookie-policy = rfc2109 at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
> Set parameter http.method.retry-handler = org.apache.commons.httpclient.DefaultHttpMethodRetryHandler@5db15db1 at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
> enter HttpClient.executeMethod(HttpMethod) at [2008-12-08 11:07:04,897] (org.apache.commons.httpclient.HttpClient)
> enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) at [2008-12-08 11:07:04,898] (org.apache.commons.httpclient.HttpClient)
> Attempt number 1 to process request at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpMethodDirector)
> enter HttpConnection.open() at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpConnection)
> Open connection to 171.69.71.167:8443 at [2008-12-08 11:07:04,971] (org.apache.commons.httpclient.HttpConnection)
> enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,095] (org.apache.commons.httpclient.HttpConnection)
> Closing the connection. at [2008-12-08 11:07:06,096] (org.apache.commons.httpclient.HttpMethodDirector)
> enter HttpConnection.close() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
> enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
> I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: peer not verified at [2008-12-08 11:07:06,099] (org.apache.commons.httpclient.HttpMethodDirector)
> peer not verified at [2008-12-08 11:07:06,106] (org.apache.commons.httpclient.HttpMethodDirector)
> javax.net.ssl.SSLPeerUnverifiedException: peer not verified
> gnu.javax.net.ssl.provider.Session.getPeerCertificates (Unknown Source)
> com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.verifyHostname (Unknown Source)
> com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.createSocket (Unknown Source)
> org.apache.commons.httpclient.HttpConnection.open (Unknown Source)
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry (Unknown Source)
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod (Unknown Source)
> org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
> org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
> com.cisco.embedded.server.connection.http.HttpsConnection.doGet (Unknown Source)
> **********************************************************************************************************
>
>
> thanks,
> Partha
>
>
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Sunday, December 07, 2008 7:32 AM
> To: HttpComponents Project
> Subject: Re: Certificate Validation
>
> Partha Venkatavaradhan (pavenkat) wrote:
>> Is it mandatory that I call Protocol.registerProtocol().
>
> No, it is not.
>
>
> Because I have the following lines in my code:
>> Protocol https = new Protocol("https", new StrictSSLProtocolSocketFactory(), port);
>> //Protocol.registerProtocol("https", https);
>> client.getHostConfiguration().setHost(url.getHost(), url.getPort(), https);
>>
>> The above code on Windows, doesn't perform the Hostname verification. Only if I uncomment the call to registerProtocol, the hostname verification is called. But on my target linux (IBM JRE), this call to registerProtocol results in 'Peer not verified' exception.
>>
>
> When using a custom HostConfiguration make sure to use relative request URIs
>
> Oleg
>
>
>> Thanks in advance,
>> Partha
>>
>> -----Original Message-----
>> From: Partha Venkatavaradhan (pavenkat)
>> Sent: Wednesday, November 26, 2008 12:02 PM
>> To: HttpComponents Project
>> Subject: RE: Certificate Validation
>>
>> Hi,
>>
>> Looks like after I included the StrictSSLProtocolSocketFactory, now even a valid certificate like Thawte is declared as 'Peer not verfied'. This however works on a Windows machine. I am testing it on a Java ME edition and there it fails. Any clues?
>>
>> Thanks,
>> Partha
>>
>>
>> -----Original Message-----
>> From: Ortwin Glück [mailto:odi@odi.ch]
>> Sent: Tuesday, November 18, 2008 1:34 AM
>> To: HttpComponents Project
>> Subject: Re: Certificate Validation
>>
>> Hi Partha,
>>
>> Please have a look at
>> http://hc.apache.org/httpclient-3.x/sslguide.html
>> and especially then
>> StrictSSLProtocolSocketFactory which is referenced there.
>>
>> Cheers,
>>
>> Ortwin
>>
>> Partha Venkatavaradhan (pavenkat) wrote:
>>> Hi,
>>>
>>>
>>>
>>> I am running a tomcat server that has a valid certificate from Thwate.
>>> In my HTTP client code I am letting the library handle the SSL
>>> validation and I am not using any custom trust validation. Now,
>>> everything works fine but the problem is precisely this. It works fine
>>> even when if I specify the IP address of the server in the URL. Since
>>> the certificate is signed against my server's domain name, if I access
>>> the URL with IP address I expect the library to throw exception as the
>>> domain names doesn't match. This is what precisely happens when I try
>>> to access the server from a browser by typing the server's IP address
>>> instead of the domain name. I get a warning message stating that the
>>> domain name and the URL that I entered doesn't match.
>>>
>>>
>>>
>>> Is there any way I let the library explicitly validate the domain name
>>> and throw me an exception in case it detects a mismatch?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Partha
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
RE: Certificate Validation
Posted by "Partha Venkatavaradhan (pavenkat)" <pa...@cisco.com>.
Hi Oleg,
Thanks for your response. I was using relative path. I got the following exception thrown with debug turned on. Its throwing exception on session.getPeerCertificates() line, same exception if I use getCertificateChain() method. Is there anything that I am missing here.
**********************************************************************************************************
enter GetMethod(String) at [2008-12-08 11:07:04,893] (org.apache.commons.httpclient.methods.GetMethod)
Set parameter http.protocol.cookie-policy = rfc2109 at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
Set parameter http.method.retry-handler = org.apache.commons.httpclient.DefaultHttpMethodRetryHandler@5db15db1 at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
enter HttpClient.executeMethod(HttpMethod) at [2008-12-08 11:07:04,897] (org.apache.commons.httpclient.HttpClient)
enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) at [2008-12-08 11:07:04,898] (org.apache.commons.httpclient.HttpClient)
Attempt number 1 to process request at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpMethodDirector)
enter HttpConnection.open() at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpConnection)
Open connection to 171.69.71.167:8443 at [2008-12-08 11:07:04,971] (org.apache.commons.httpclient.HttpConnection)
enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,095] (org.apache.commons.httpclient.HttpConnection)
Closing the connection. at [2008-12-08 11:07:06,096] (org.apache.commons.httpclient.HttpMethodDirector)
enter HttpConnection.close() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: peer not verified at [2008-12-08 11:07:06,099] (org.apache.commons.httpclient.HttpMethodDirector)
peer not verified at [2008-12-08 11:07:06,106] (org.apache.commons.httpclient.HttpMethodDirector)
javax.net.ssl.SSLPeerUnverifiedException: peer not verified
gnu.javax.net.ssl.provider.Session.getPeerCertificates (Unknown Source)
com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.verifyHostname (Unknown Source)
com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.createSocket (Unknown Source)
org.apache.commons.httpclient.HttpConnection.open (Unknown Source)
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry (Unknown Source)
org.apache.commons.httpclient.HttpMethodDirector.executeMethod (Unknown Source)
org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
com.cisco.embedded.server.connection.http.HttpsConnection.doGet (Unknown Source)
**********************************************************************************************************
thanks,
Partha
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: Sunday, December 07, 2008 7:32 AM
To: HttpComponents Project
Subject: Re: Certificate Validation
Partha Venkatavaradhan (pavenkat) wrote:
> Is it mandatory that I call Protocol.registerProtocol().
No, it is not.
Because I have the following lines in my code:
> Protocol https = new Protocol("https", new StrictSSLProtocolSocketFactory(), port);
> //Protocol.registerProtocol("https", https);
> client.getHostConfiguration().setHost(url.getHost(), url.getPort(), https);
>
> The above code on Windows, doesn't perform the Hostname verification. Only if I uncomment the call to registerProtocol, the hostname verification is called. But on my target linux (IBM JRE), this call to registerProtocol results in 'Peer not verified' exception.
>
When using a custom HostConfiguration make sure to use relative request URIs
Oleg
> Thanks in advance,
> Partha
>
> -----Original Message-----
> From: Partha Venkatavaradhan (pavenkat)
> Sent: Wednesday, November 26, 2008 12:02 PM
> To: HttpComponents Project
> Subject: RE: Certificate Validation
>
> Hi,
>
> Looks like after I included the StrictSSLProtocolSocketFactory, now even a valid certificate like Thawte is declared as 'Peer not verfied'. This however works on a Windows machine. I am testing it on a Java ME edition and there it fails. Any clues?
>
> Thanks,
> Partha
>
>
> -----Original Message-----
> From: Ortwin Glück [mailto:odi@odi.ch]
> Sent: Tuesday, November 18, 2008 1:34 AM
> To: HttpComponents Project
> Subject: Re: Certificate Validation
>
> Hi Partha,
>
> Please have a look at
> http://hc.apache.org/httpclient-3.x/sslguide.html
> and especially then
> StrictSSLProtocolSocketFactory which is referenced there.
>
> Cheers,
>
> Ortwin
>
> Partha Venkatavaradhan (pavenkat) wrote:
>> Hi,
>>
>>
>>
>> I am running a tomcat server that has a valid certificate from Thwate.
>> In my HTTP client code I am letting the library handle the SSL
>> validation and I am not using any custom trust validation. Now,
>> everything works fine but the problem is precisely this. It works fine
>> even when if I specify the IP address of the server in the URL. Since
>> the certificate is signed against my server's domain name, if I access
>> the URL with IP address I expect the library to throw exception as the
>> domain names doesn't match. This is what precisely happens when I try
>> to access the server from a browser by typing the server's IP address
>> instead of the domain name. I get a warning message stating that the
>> domain name and the URL that I entered doesn't match.
>>
>>
>>
>> Is there any way I let the library explicitly validate the domain name
>> and throw me an exception in case it detects a mismatch?
>>
>>
>>
>> Thanks,
>>
>> Partha
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: Certificate Validation
Posted by Oleg Kalnichevski <ol...@apache.org>.
Partha Venkatavaradhan (pavenkat) wrote:
> Is it mandatory that I call Protocol.registerProtocol().
No, it is not.
Because I have the following lines in my code:
> Protocol https = new Protocol("https", new StrictSSLProtocolSocketFactory(), port);
> //Protocol.registerProtocol("https", https);
> client.getHostConfiguration().setHost(url.getHost(), url.getPort(), https);
>
> The above code on Windows, doesn't perform the Hostname verification. Only if I uncomment the call to registerProtocol, the hostname verification is called. But on my target linux (IBM JRE), this call to registerProtocol results in 'Peer not verified' exception.
>
When using a custom HostConfiguration make sure to use relative request URIs
Oleg
> Thanks in advance,
> Partha
>
> -----Original Message-----
> From: Partha Venkatavaradhan (pavenkat)
> Sent: Wednesday, November 26, 2008 12:02 PM
> To: HttpComponents Project
> Subject: RE: Certificate Validation
>
> Hi,
>
> Looks like after I included the StrictSSLProtocolSocketFactory, now even a valid certificate like Thawte is declared as 'Peer not verfied'. This however works on a Windows machine. I am testing it on a Java ME edition and there it fails. Any clues?
>
> Thanks,
> Partha
>
>
> -----Original Message-----
> From: Ortwin Glück [mailto:odi@odi.ch]
> Sent: Tuesday, November 18, 2008 1:34 AM
> To: HttpComponents Project
> Subject: Re: Certificate Validation
>
> Hi Partha,
>
> Please have a look at
> http://hc.apache.org/httpclient-3.x/sslguide.html
> and especially then
> StrictSSLProtocolSocketFactory which is referenced there.
>
> Cheers,
>
> Ortwin
>
> Partha Venkatavaradhan (pavenkat) wrote:
>> Hi,
>>
>>
>>
>> I am running a tomcat server that has a valid certificate from Thwate.
>> In my HTTP client code I am letting the library handle the SSL
>> validation and I am not using any custom trust validation. Now,
>> everything works fine but the problem is precisely this. It works fine
>> even when if I specify the IP address of the server in the URL. Since
>> the certificate is signed against my server's domain name, if I access
>> the URL with IP address I expect the library to throw exception as the
>> domain names doesn't match. This is what precisely happens when I try
>> to access the server from a browser by typing the server's IP address
>> instead of the domain name. I get a warning message stating that the
>> domain name and the URL that I entered doesn't match.
>>
>>
>>
>> Is there any way I let the library explicitly validate the domain name
>> and throw me an exception in case it detects a mismatch?
>>
>>
>>
>> Thanks,
>>
>> Partha
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org