You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2011/12/20 00:06:15 UTC
Re: [OT] truststore and keystore SSL
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lau,
Marking OT because this is not a Tomcat question: it's either
http-components or Java-in-general.
On 12/17/11 2:34 AM, Lau Eng Huat wrote:
> The question that I have now is how to get it to work with apache
> httpclient components.
Have you tried the apache-commons mailing list?
> I found that the SSLSocketFactory has 4 constructor class of
> interest. They are
>
> [snip: list of constructors]
>
> Which one should I used and the pro and cons of using this ? If I
> used item 2 method, which one is tomcathost.jks and trust.jks in
> the first parameter and 3rd parameter.
The "trust store" is always the keystore that contains the
certificates to be trusted. That means that the "trust store" needs to
contain the certificate from your remote web server. If the
certificate was signed by a globally-trusted certificate authority
(CA) such as VeriSign, Thawte, etc. then you probably don't need to go
through any of this.
Is this a self-signed cert?
> The other question is how to load certificates dynamically in java,
> how do I achieved this ?
You will have to work this out for yourself. Perhaps you can do
periodic re-loading of a keystore?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7vw2cACgkQ9CaO5/Lv0PDreACgu9NyYUx27OX/IwPoQVa6FUm3
ZJAAn2v3Vy8H1ZjpYm2sbuFsei9T/OEn
=/rrO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] truststore and keystore SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lau,
On 12/20/11 5:24 AM, Lau Eng Huat wrote:
> Its a self signed certificate. I posted here is because there seems
> to be no reply from the httpclient-users@hc.apache.org. Will there
> be a lot of changes when we changed to commercial certificates ?
If you have a commercially-signed certificate then the JVM will
probably not complain because the certificate authority is already
trusted.
I haven't checked recently with Oracle Java, but StartSSL offers SSL
certificates for free if you can prove that you have control over a
domain name (it's a simple process). I know that Firefox trusts their
CA, so it's possible that Java will do the same.
Maybe you could use a free signed SSL certificate for development and
avoid all this work.
Or, you could do what we do when this kind of thing comes up and
disable the trust manager. That requires that you write some code. You
might be able to adapt this to affect only *one* SSLContext, but we
install it JVM-wide. YMMV.
public static void disableSSLCertificateChecking()
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
try
{
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new
java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
catch (KeyManagementException kme)
{
kme.printStackTrace();
}
catch (NoSuchAlgorithmException nsae)
{
nsae.printStackTrace();
}
}
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7wzyoACgkQ9CaO5/Lv0PB6HwCaArGDapXBeihGN8xEAoKOuBcj
Gl0AoKoRl+cD69acg6tqM4heB6Yr5BMu
=QAhi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] truststore and keystore SSL
Posted by Lau Eng Huat <to...@gmail.com>.
Hi Guys,
Its a self signed certificate. I posted here is because there seems to be
no reply from the httpclient-users@hc.apache.org. Will there be a lot of
changes when we changed to commercial certificates ?
On Tue, Dec 20, 2011 at 7:14 AM, Tim Watts <ti...@cliftonfarm.org> wrote:
> On Mon, 2011-12-19 at 18:06 -0500, Christopher Schultz wrote:
> > On 12/17/11 2:34 AM, Lau Eng Huat wrote:
> > > The question that I have now is how to get it to work with apache
> > > httpclient components.
> >
> > Have you tried the apache-commons mailing list?
> >
>
> Actually Http Components has been a top level project for sometime and
> they have their own list:
>
> http://hc.apache.org/
>
>
>
>
Re: [OT] truststore and keystore SSL
Posted by Tim Watts <ti...@cliftonfarm.org>.
On Mon, 2011-12-19 at 18:06 -0500, Christopher Schultz wrote:
> On 12/17/11 2:34 AM, Lau Eng Huat wrote:
> > The question that I have now is how to get it to work with apache
> > httpclient components.
>
> Have you tried the apache-commons mailing list?
>
Actually Http Components has been a top level project for sometime and
they have their own list:
http://hc.apache.org/