You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Dennis Crall <de...@uiowa.edu> on 2004/05/11 16:44:32 UTC
[HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Hi,
I'm having problems getting HttpClient to work with unsigned
certificates over https. Using HttpClient right out of the box, I get
the following exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
So I looked at the documentation a bit more carefully and discovered
EasySSLProtocolSocketFactory. This class apparently solves my problem,
but I can not get it to compile. Nor can I get EasyX509TrustManager to
compile. Strangely enough the compiler is telling me that certain
classes in HttpClient do not exist. Specifically, the following five
lines:
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.HttpClientError;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import
org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
import org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
And this is from within a project where I can build the
HttpClientTutorial with no problem. So I guess my questions are:
1.) Is there anywhere I can download a jar of the
org.apache.commons.httpclient.contrib.ssl package?
2.) Is there an obvious reason why the compiler is not seeing the
classes listed above? Is EasySSLProtocolSocketFactory compatible with
HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3 and
Java 1.4.1.
Any advice is appreciated,
Dennis Crall
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Posted by Dennis Crall <de...@uiowa.edu>.
Oleg,
It turns out I was missing a step and EasySSLSocketFactory was not
being called at all. Everything worked perfectly once I added the
following line to my code:
Protocol.registerProtocol( "https", easyhttps );
And just for the archive, here is what my final code looks like. It
would be nice if the sample code also showed the registerProtocol()
step.
Protocol easyhttps = new Protocol( "https", new
EasySSLProtocolSocketFactory(), 443 );
Protocol.registerProtocol( "https", easyhttps );
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("remote.host", 443, easyhttps);
HttpMethod method = new GetMethod( fullURL );
And thanks once again for your help. It was invaluable. Also,
HttpClient is wonderful.
Regards,
Dennis
On May 11, 2004, at 11:19 AM, olegk@bluewin.ch wrote:
> Dennis
>
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
>
> As you can see from the error message above, the verification of the
> certificate
> chain has been delegated to the standard Sun's certificate validator,
> which
> does not quite like 'home-made' certificates.
>
> EasyX509TrustManager and EasySSLProtocolSocketFactory classes have
> never
> been intended for use without adjustments to specific requirements of
> individual
> applications. That's why these classes are not part of the standard
> HttpClient
> library in the first place
>
> In its stock implementation EasyX509TrustManager checks the length of
> the
> certificate chain. If the certificate chain consists of more than one
> certificate,
> the EasyX509TrustManager passes control to the standard trust manager
> and
> washes the hands. See code below
>
> /**
> * @see
> com.sun.net.ssl.X509TrustManager#isServerTrusted(X509Certificate[])
> */
> public boolean isServerTrusted(X509Certificate[] certificates) {
> if ((certificates != null) && LOG.isDebugEnabled()) {
> LOG.debug("Server certificate chain:");
> for (int i = 0; i < certificates.length; i++) {
> LOG.debug("X509Certificate[" + i + "]=" +
> certificates[i]);
> }
> }
> if ((certificates != null) && (certificates.length == 1)) {
> X509Certificate certificate = certificates[0];
> try {
> certificate.checkValidity();
> }
> catch (CertificateException e) {
> LOG.error(e.toString());
> return false;
> }
> return true;
> } else {
> return
> this.standardTrustManager.isServerTrusted(certificates);
> }
> }
>
> Apparently the target server uses a little more complicated setup than
> a
> trivial self-signed certificate. You should carefully analyze the
> security
> requirements of your application and modify the EasyX509TrustManager
> to meet
> your specific needs (for instance, by ensuring that all the
> certificate in
> the certificate chain are trusted, that is, signed by a trusted CA).
> In the
> most extreme case if you really do not care about SSL authentication
> you
> may choose to trust all certificates by making isServerTrusted always
> return
> <tt>true</tt>.
>
> Hope this helps
>
> Oleg
>
>
>
>> -- Original Message --
>> Reply-To: "Jakarta Commons Users List"
>> <co...@jakarta.apache.org>
>> From: Dennis Crall <de...@uiowa.edu>
>> Subject: Re: [HttpClient] Unsigned Certificates &
>> EasySSLProtocolSocketFactory
>> Date: Tue, 11 May 2004 10:52:30 -0500
>> To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>>
>>
>>
>> Oleg,
>>
>> Thank you very much. I now have EasySSLProtocolSocketFactory
>> compiling.
>
>>
>> However, I am still getting the same exception:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
>>
>> The code I'm using is as follows. The instructions seemed pretty
>> straightforward. Do you see anything wrong? (The server I'm connecting
>
>> to is using port 444).
>>
>> Protocol easyhttps = new Protocol( "https", new
>> EasySSLProtocolSocketFactory(), 444 );
>> HttpClient client = new HttpClient();
>> client.getHostConfiguration().setHost("remote.host", 444, easyhttps);
>> HttpMethod method = new GetMethod( fullURL );
>>
>> Thank you for your help,
>>
>> Dennis
>>
>>
>>
>> On May 11, 2004, at 9:55 AM, olegk@bluewin.ch wrote:
>>
>>> Dennis
>>>
>>> There are two branches of HttpClient: 2.0 (stable) and development
>>> (unstable,
>>> which will eventually become 3.0). The SSL guide unfortunately points
>
>>
>>> at
>>> the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I
>>> was long
>>> going to fix the problem but there had always been more pressing
>>> issues I
>>> needed to turn my attention to. I'll do my (very) best to fix the SSL
>
>>
>>> guide
>>> tonight. Meanwhile use the link below to get the 2.0 version of the
>>> easy
>>> SSL protocol factory:
>>>
>>> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/
>>> contrib/org/apache/commons/httpclient/contrib/ssl/?
>>> only_with_tag=HTTPCLIENT_2_0_BRANCH
>>>
>>> Oleg
>>>
>>>
>>>> -- Original Message --
>>>> Reply-To: "Jakarta Commons Users List"
>>>> <co...@jakarta.apache.org>
>>>> To: Jakarta Commons <co...@jakarta.apache.org>
>>>> From: Dennis Crall <de...@uiowa.edu>
>>>> Subject: [HttpClient] Unsigned Certificates &
>>>> EasySSLProtocolSocketFactory
>>>> Date: Tue, 11 May 2004 09:44:32 -0500
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I'm having problems getting HttpClient to work with unsigned
>>>> certificates over https. Using HttpClient right out of the box, I
>>>> get
>>>> the following exception:
>>>>
>>>> javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: No trusted certificate
>>>> found
>>>>
>>>> So I looked at the documentation a bit more carefully and discovered
>>>> EasySSLProtocolSocketFactory. This class apparently solves my
>>>> problem,
>>>> but I can not get it to compile. Nor can I get EasyX509TrustManager
>>>> to
>>>> compile. Strangely enough the compiler is telling me that certain
>>>> classes in HttpClient do not exist. Specifically, the following five
>>>> lines:
>>>>
>>>> import org.apache.commons.httpclient.ConnectTimeoutException;
>>>> import org.apache.commons.httpclient.HttpClientError;
>>>> import org.apache.commons.httpclient.params.HttpConnectionParams;
>>>> import
>>>> org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory
>>>> ;
>>>> import
>>>> org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>>>>
>>>> And this is from within a project where I can build the
>>>> HttpClientTutorial with no problem. So I guess my questions are:
>>>>
>>>> 1.) Is there anywhere I can download a jar of the
>>>> org.apache.commons.httpclient.contrib.ssl package?
>>>>
>>>> 2.) Is there an obvious reason why the compiler is not seeing the
>>>> classes listed above? Is EasySSLProtocolSocketFactory compatible
>>>> with
>>>> HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3
>>>> and
>>>> Java 1.4.1.
>>>>
>>>> Any advice is appreciated,
>>>>
>>>> Dennis Crall
>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> -
>>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>>> For additional commands, e-mail:
>>>> commons-user-help@jakarta.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Posted by ol...@bluewin.ch.
Dennis
> sun.security.validator.ValidatorException: No trusted certificate found
As you can see from the error message above, the verification of the certificate
chain has been delegated to the standard Sun's certificate validator, which
does not quite like 'home-made' certificates.
EasyX509TrustManager and EasySSLProtocolSocketFactory classes have never
been intended for use without adjustments to specific requirements of individual
applications. That's why these classes are not part of the standard HttpClient
library in the first place
In its stock implementation EasyX509TrustManager checks the length of the
certificate chain. If the certificate chain consists of more than one certificate,
the EasyX509TrustManager passes control to the standard trust manager and
washes the hands. See code below
/**
* @see com.sun.net.ssl.X509TrustManager#isServerTrusted(X509Certificate[])
*/
public boolean isServerTrusted(X509Certificate[] certificates) {
if ((certificates != null) && LOG.isDebugEnabled()) {
LOG.debug("Server certificate chain:");
for (int i = 0; i < certificates.length; i++) {
LOG.debug("X509Certificate[" + i + "]=" + certificates[i]);
}
}
if ((certificates != null) && (certificates.length == 1)) {
X509Certificate certificate = certificates[0];
try {
certificate.checkValidity();
}
catch (CertificateException e) {
LOG.error(e.toString());
return false;
}
return true;
} else {
return this.standardTrustManager.isServerTrusted(certificates);
}
}
Apparently the target server uses a little more complicated setup than a
trivial self-signed certificate. You should carefully analyze the security
requirements of your application and modify the EasyX509TrustManager to meet
your specific needs (for instance, by ensuring that all the certificate in
the certificate chain are trusted, that is, signed by a trusted CA). In the
most extreme case if you really do not care about SSL authentication you
may choose to trust all certificates by making isServerTrusted always return
<tt>true</tt>.
Hope this helps
Oleg
>-- Original Message --
>Reply-To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>From: Dennis Crall <de...@uiowa.edu>
>Subject: Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
>Date: Tue, 11 May 2004 10:52:30 -0500
>To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>
>
>
>Oleg,
>
>Thank you very much. I now have EasySSLProtocolSocketFactory compiling.
>
>However, I am still getting the same exception:
>
>javax.net.ssl.SSLHandshakeException:
>sun.security.validator.ValidatorException: No trusted certificate found
>
>The code I'm using is as follows. The instructions seemed pretty
>straightforward. Do you see anything wrong? (The server I'm connecting
>to is using port 444).
>
>Protocol easyhttps = new Protocol( "https", new
>EasySSLProtocolSocketFactory(), 444 );
>HttpClient client = new HttpClient();
>client.getHostConfiguration().setHost("remote.host", 444, easyhttps);
>HttpMethod method = new GetMethod( fullURL );
>
>Thank you for your help,
>
>Dennis
>
>
>
>On May 11, 2004, at 9:55 AM, olegk@bluewin.ch wrote:
>
>> Dennis
>>
>> There are two branches of HttpClient: 2.0 (stable) and development
>> (unstable,
>> which will eventually become 3.0). The SSL guide unfortunately points
>
>> at
>> the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I
>> was long
>> going to fix the problem but there had always been more pressing
>> issues I
>> needed to turn my attention to. I'll do my (very) best to fix the SSL
>
>> guide
>> tonight. Meanwhile use the link below to get the 2.0 version of the
>> easy
>> SSL protocol factory:
>>
>> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/
>> contrib/org/apache/commons/httpclient/contrib/ssl/?
>> only_with_tag=HTTPCLIENT_2_0_BRANCH
>>
>> Oleg
>>
>>
>>> -- Original Message --
>>> Reply-To: "Jakarta Commons Users List"
>>> <co...@jakarta.apache.org>
>>> To: Jakarta Commons <co...@jakarta.apache.org>
>>> From: Dennis Crall <de...@uiowa.edu>
>>> Subject: [HttpClient] Unsigned Certificates &
>>> EasySSLProtocolSocketFactory
>>> Date: Tue, 11 May 2004 09:44:32 -0500
>>>
>>>
>>> Hi,
>>>
>>> I'm having problems getting HttpClient to work with unsigned
>>> certificates over https. Using HttpClient right out of the box, I get
>>> the following exception:
>>>
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: No trusted certificate
>>> found
>>>
>>> So I looked at the documentation a bit more carefully and discovered
>>> EasySSLProtocolSocketFactory. This class apparently solves my problem,
>>> but I can not get it to compile. Nor can I get EasyX509TrustManager to
>>> compile. Strangely enough the compiler is telling me that certain
>>> classes in HttpClient do not exist. Specifically, the following five
>>> lines:
>>>
>>> import org.apache.commons.httpclient.ConnectTimeoutException;
>>> import org.apache.commons.httpclient.HttpClientError;
>>> import org.apache.commons.httpclient.params.HttpConnectionParams;
>>> import
>>> org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
>>> import org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>>>
>>> And this is from within a project where I can build the
>>> HttpClientTutorial with no problem. So I guess my questions are:
>>>
>>> 1.) Is there anywhere I can download a jar of the
>>> org.apache.commons.httpclient.contrib.ssl package?
>>>
>>> 2.) Is there an obvious reason why the compiler is not seeing the
>>> classes listed above? Is EasySSLProtocolSocketFactory compatible with
>>> HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3 and
>>> Java 1.4.1.
>>>
>>> Any advice is appreciated,
>>>
>>> Dennis Crall
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Posted by Dennis Crall <de...@uiowa.edu>.
Oleg,
Thank you very much. I now have EasySSLProtocolSocketFactory compiling.
However, I am still getting the same exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
The code I'm using is as follows. The instructions seemed pretty
straightforward. Do you see anything wrong? (The server I'm connecting
to is using port 444).
Protocol easyhttps = new Protocol( "https", new
EasySSLProtocolSocketFactory(), 444 );
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("remote.host", 444, easyhttps);
HttpMethod method = new GetMethod( fullURL );
Thank you for your help,
Dennis
On May 11, 2004, at 9:55 AM, olegk@bluewin.ch wrote:
> Dennis
>
> There are two branches of HttpClient: 2.0 (stable) and development
> (unstable,
> which will eventually become 3.0). The SSL guide unfortunately points
> at
> the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I
> was long
> going to fix the problem but there had always been more pressing
> issues I
> needed to turn my attention to. I'll do my (very) best to fix the SSL
> guide
> tonight. Meanwhile use the link below to get the 2.0 version of the
> easy
> SSL protocol factory:
>
> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/
> contrib/org/apache/commons/httpclient/contrib/ssl/?
> only_with_tag=HTTPCLIENT_2_0_BRANCH
>
> Oleg
>
>
>> -- Original Message --
>> Reply-To: "Jakarta Commons Users List"
>> <co...@jakarta.apache.org>
>> To: Jakarta Commons <co...@jakarta.apache.org>
>> From: Dennis Crall <de...@uiowa.edu>
>> Subject: [HttpClient] Unsigned Certificates &
>> EasySSLProtocolSocketFactory
>> Date: Tue, 11 May 2004 09:44:32 -0500
>>
>>
>> Hi,
>>
>> I'm having problems getting HttpClient to work with unsigned
>> certificates over https. Using HttpClient right out of the box, I get
>> the following exception:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: No trusted certificate
>> found
>>
>> So I looked at the documentation a bit more carefully and discovered
>> EasySSLProtocolSocketFactory. This class apparently solves my problem,
>> but I can not get it to compile. Nor can I get EasyX509TrustManager to
>> compile. Strangely enough the compiler is telling me that certain
>> classes in HttpClient do not exist. Specifically, the following five
>> lines:
>>
>> import org.apache.commons.httpclient.ConnectTimeoutException;
>> import org.apache.commons.httpclient.HttpClientError;
>> import org.apache.commons.httpclient.params.HttpConnectionParams;
>> import
>> org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
>> import org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>>
>> And this is from within a project where I can build the
>> HttpClientTutorial with no problem. So I guess my questions are:
>>
>> 1.) Is there anywhere I can download a jar of the
>> org.apache.commons.httpclient.contrib.ssl package?
>>
>> 2.) Is there an obvious reason why the compiler is not seeing the
>> classes listed above? Is EasySSLProtocolSocketFactory compatible with
>> HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3 and
>> Java 1.4.1.
>>
>> Any advice is appreciated,
>>
>> Dennis Crall
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
RE: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
Posted by ol...@bluewin.ch.
Dennis
There are two branches of HttpClient: 2.0 (stable) and development (unstable,
which will eventually become 3.0). The SSL guide unfortunately points at
the development branch (HEAD) instead of (HTTPCLIENT_2_0_BRANCH). I was long
going to fix the problem but there had always been more pressing issues I
needed to turn my attention to. I'll do my (very) best to fix the SSL guide
tonight. Meanwhile use the link below to get the 2.0 version of the easy
SSL protocol factory:
http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/?only_with_tag=HTTPCLIENT_2_0_BRANCH
Oleg
>-- Original Message --
>Reply-To: "Jakarta Commons Users List" <co...@jakarta.apache.org>
>To: Jakarta Commons <co...@jakarta.apache.org>
>From: Dennis Crall <de...@uiowa.edu>
>Subject: [HttpClient] Unsigned Certificates & EasySSLProtocolSocketFactory
>Date: Tue, 11 May 2004 09:44:32 -0500
>
>
>Hi,
>
>I'm having problems getting HttpClient to work with unsigned
>certificates over https. Using HttpClient right out of the box, I get
>the following exception:
>
> javax.net.ssl.SSLHandshakeException:
>sun.security.validator.ValidatorException: No trusted certificate found
>
>So I looked at the documentation a bit more carefully and discovered
>EasySSLProtocolSocketFactory. This class apparently solves my problem,
>but I can not get it to compile. Nor can I get EasyX509TrustManager to
>compile. Strangely enough the compiler is telling me that certain
>classes in HttpClient do not exist. Specifically, the following five
>lines:
>
>import org.apache.commons.httpclient.ConnectTimeoutException;
>import org.apache.commons.httpclient.HttpClientError;
>import org.apache.commons.httpclient.params.HttpConnectionParams;
>import
>org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
>import org.apache.commons.httpclient.protocol.ReflectionSocketFactory;
>
>And this is from within a project where I can build the
>HttpClientTutorial with no problem. So I guess my questions are:
>
>1.) Is there anywhere I can download a jar of the
>org.apache.commons.httpclient.contrib.ssl package?
>
>2.) Is there an obvious reason why the compiler is not seeing the
>classes listed above? Is EasySSLProtocolSocketFactory compatible with
>HttpClient 2.0? I am working with HttpClient 2.0 on Mac OS X 10.3 and
>Java 1.4.1.
>
>Any advice is appreciated,
>
>Dennis Crall
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org