You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Marcel Stör <ma...@frightanic.com> on 2010/04/05 10:50:00 UTC
Never use absolute URIs with EasySSLProtocolSocketFactory
We're using HttpClient for an Eclipse plugin. To support self-signed certificates we also use EasySSLProtocolSocketFactory.
Hence, we modify the standard HttpClient HostConfiguration instance like so:
...
if (config.isAllowSelfSignedCertificates()) {
ProtocolSocketFactory factory = new EasySSLProtocolSocketFactory();
try {
URI uri = new URI(config.getBaseUrl());
int port = uri.getPort();
if (port == -1) {
port = 443;
}
Protocol easyHttps = new Protocol(uri.getScheme(), factory, port);
hostConfiguration.setHost(uri.getHost(), port, easyHttps);
} catch (URISyntaxException e) {
throw new IOException("could not parse URI " + config.getBaseUrl(), e);
}
}
...
While issuing requests agains an absolute URI, however, I got the dreaded "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". This first left me puzzled as I explicitly use EasySSLProtocolSocketFactory to get around this problem.
I found that the HttpClient has the following code in its executeMethod() method:
...
if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) {
// make a deep copy of the host defaults
hostconfig = (HostConfiguration) hostconfig.clone();
if (uri.isAbsoluteURI()) {
hostconfig.setHost(uri);
}
}
...
So, my host config is cloned.
Since the so called deep copy isn't a proper deep copy the copy's protocol's socket factory is no longer EasySSLProtocolSocketFactory but the standard SSLProtocolSocketFactory instead!
Is this a known issue or am I misunderstanding something?
Cheers,
Marcel
--
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Never use absolute URIs with EasySSLProtocolSocketFactory
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2010-04-05 at 14:19 +0200, Marcel Stör wrote:
> On 05.04.2010, at 12:15, Oleg Kalnichevski wrote:
> > This is a well known and documented peculiarity of the 3.x API. One MUST
> > use relative request URIs with a custom HostConfiguration.
>
> Thanks for the confirmation.
>
> Ok, since I wasn't successful the first time going over the documents at http://hc.apache.org/httpclient-3.x I tried Google again. If it's "well known and documented" Google should be able to turn up something. All I could find where JIRA issues and archived mailing list entries:
> - https://issues.apache.org/jira/browse/HTTPCLIENT-634
> - https://issues.apache.org/jira/browse/HTTPCLIENT-683
> - http://issues.apache.org/jira/browse/HTTPCLIENT-783
> - http://www.mail-archive.com/httpclient-user@jakarta.apache.org/msg03530.html
>
> I think this information deserves a more prominent spot on apache.org since it really seems very crucial.
>
> Marcel
>
HttpClient 3.x is effectively at the end of life. I see no point
investing any more time into it. Having said that, I'll happily review
and commit patches for the 3.x codeline.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Never use absolute URIs with EasySSLProtocolSocketFactory
Posted by Marcel Stör <ma...@frightanic.com>.
On 05.04.2010, at 12:15, Oleg Kalnichevski wrote:
> This is a well known and documented peculiarity of the 3.x API. One MUST
> use relative request URIs with a custom HostConfiguration.
Thanks for the confirmation.
Ok, since I wasn't successful the first time going over the documents at http://hc.apache.org/httpclient-3.x I tried Google again. If it's "well known and documented" Google should be able to turn up something. All I could find where JIRA issues and archived mailing list entries:
- https://issues.apache.org/jira/browse/HTTPCLIENT-634
- https://issues.apache.org/jira/browse/HTTPCLIENT-683
- http://issues.apache.org/jira/browse/HTTPCLIENT-783
- http://www.mail-archive.com/httpclient-user@jakarta.apache.org/msg03530.html
I think this information deserves a more prominent spot on apache.org since it really seems very crucial.
Marcel
--
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
Skype: marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Never use absolute URIs with EasySSLProtocolSocketFactory
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2010-04-05 at 10:50 +0200, Marcel Stör wrote:
> We're using HttpClient for an Eclipse plugin. To support self-signed certificates we also use EasySSLProtocolSocketFactory.
>
> Hence, we modify the standard HttpClient HostConfiguration instance like so:
>
> ...
> if (config.isAllowSelfSignedCertificates()) {
> ProtocolSocketFactory factory = new EasySSLProtocolSocketFactory();
> try {
> URI uri = new URI(config.getBaseUrl());
> int port = uri.getPort();
> if (port == -1) {
> port = 443;
> }
> Protocol easyHttps = new Protocol(uri.getScheme(), factory, port);
> hostConfiguration.setHost(uri.getHost(), port, easyHttps);
> } catch (URISyntaxException e) {
> throw new IOException("could not parse URI " + config.getBaseUrl(), e);
> }
> }
> ...
>
> While issuing requests agains an absolute URI, however, I got the dreaded "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". This first left me puzzled as I explicitly use EasySSLProtocolSocketFactory to get around this problem.
>
> I found that the HttpClient has the following code in its executeMethod() method:
>
> ...
> if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) {
> // make a deep copy of the host defaults
> hostconfig = (HostConfiguration) hostconfig.clone();
> if (uri.isAbsoluteURI()) {
> hostconfig.setHost(uri);
> }
> }
> ...
>
> So, my host config is cloned.
>
> Since the so called deep copy isn't a proper deep copy the copy's protocol's socket factory is no longer EasySSLProtocolSocketFactory but the standard SSLProtocolSocketFactory instead!
>
> Is this a known issue or am I misunderstanding something?
>
This is a well known and documented peculiarity of the 3.x API. One MUST
use relative request URIs with a custom HostConfiguration.
Please consider upgrading to HttpClient 4.0 which does not have this
limitation.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org