You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Mike Y <ke...@yahoo.com> on 2004/10/28 20:33:11 UTC
an extension suggestion... allow ssl with untrusted certs...
Or is there another way to do this?
I have a test machine and my cert isn't 100% kosher,
so attempting SSL fails with an "untrusted server cert
chain" message. I have now carefully read the
HttpClient and HostConfiguration class docs, and can't
find any way around this. I think there should be a
method -- or methods -- in HttpClient like:
setAllowUntrustedCertChain(boolean);
setAllowInvalidCertDate(boolean);
setAllowInvalidCertServerNameMatch(boolean);
The three things that are typically checked.
After all, in theory I could custom generate and sign
my own certs without compromising security; and as
long as I trust the certs I am using, why should
HttpClient necessarily care? The default behavior
could be that all those three things are expected to
be valid, but for the developer who knows what he is
doing, why not make it a possibility to do otherwise?
Just an idea. Sorry for not posting this on the dev
list. I thought someone might have another workaround
for me here, which is what I'm really after.
You folks have been kind and great.
Thanks,
Michael
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: an extension suggestion... allow ssl with untrusted certs...
Posted by Oleg Kalnichevski <ol...@apache.org>.
Mike,
Have you tried using EasySSLProtocolSocketFactory or
AuthSSLProtocolSocketFactory socket factories?
http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/?only_with_tag=HTTPCLIENT_2_0_BRANCH
For details on customizing SSL in HttpClient see
http://jakarta.apache.org/commons/httpclient/sslguide.html
Hope this helps
Oleg
On Thu, 2004-10-28 at 20:33, Mike Y wrote:
> Or is there another way to do this?
>
> I have a test machine and my cert isn't 100% kosher,
> so attempting SSL fails with an "untrusted server cert
> chain" message. I have now carefully read the
> HttpClient and HostConfiguration class docs, and can't
> find any way around this. I think there should be a
> method -- or methods -- in HttpClient like:
>
> setAllowUntrustedCertChain(boolean);
> setAllowInvalidCertDate(boolean);
> setAllowInvalidCertServerNameMatch(boolean);
>
> The three things that are typically checked.
>
> After all, in theory I could custom generate and sign
> my own certs without compromising security; and as
> long as I trust the certs I am using, why should
> HttpClient necessarily care? The default behavior
> could be that all those three things are expected to
> be valid, but for the developer who knows what he is
> doing, why not make it a possibility to do otherwise?
>
> Just an idea. Sorry for not posting this on the dev
> list. I thought someone might have another workaround
> for me here, which is what I'm really after.
>
> You folks have been kind and great.
>
> Thanks,
> Michael
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: an extension suggestion... allow ssl with untrusted certs...
Posted by Mike Y <ke...@yahoo.com>.
Of course, I don't necessarily mean to claim that I'm
a "developer who knows what he is doing".
For what it's worth.
--- Mike Y <ke...@yahoo.com> wrote:
> Or is there another way to do this?
>
> I have a test machine and my cert isn't 100% kosher,
> so attempting SSL fails with an "untrusted server
> cert
> chain" message. I have now carefully read the
> HttpClient and HostConfiguration class docs, and
> can't
> find any way around this. I think there should be a
> method -- or methods -- in HttpClient like:
>
> setAllowUntrustedCertChain(boolean);
> setAllowInvalidCertDate(boolean);
> setAllowInvalidCertServerNameMatch(boolean);
>
> The three things that are typically checked.
>
> After all, in theory I could custom generate and
> sign
> my own certs without compromising security; and as
> long as I trust the certs I am using, why should
> HttpClient necessarily care? The default behavior
> could be that all those three things are expected to
> be valid, but for the developer who knows what he is
> doing, why not make it a possibility to do
> otherwise?
>
> Just an idea. Sorry for not posting this on the dev
> list. I thought someone might have another
> workaround
> for me here, which is what I'm really after.
>
> You folks have been kind and great.
>
> Thanks,
> Michael
>
>
>
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org