You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Gerhard Sinne <GS...@orga-systems.com> on 2010/10/28 16:27:22 UTC
SSL self- signed- certicate trouble with TrustSelfSignedStrategy()
Hi all,
I have HTTP client implementing a self- signed- accpetance strategy using
the TrustSelfSignedStrategy() of the apache HTTP Client 4.1Alpha2.
- First question : Do I have to set the truststore system properties
although I implemented a TrustSelfSignedStrategy () - Strategy ?
Like this way:
System.setProperty("javax.net.ssl.trustStore", "My.trustStore");
System.setProperty("javax.net.ssl.trustStorePassword", "MyPWD");
I did not install any certificates globally in JRE/JDK with the keytool
and also try to avoid this.
- Second, could somebody shed a light on this code which still fails with
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
TrustStrategy trustStrategy = new
TrustSelfSignedStrategy();
X509HostnameVerifier hostnameVerifier = new
AllowAllHostnameVerifier();
SSLSocketFactory sslSf = new
SSLSocketFactory(trustStrategy, hostnameVerifier);
Scheme https = new Scheme("https", 443,
sslSf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(https);
ClientConnectionManager connection = new
ThreadSafeClientConnManager(schemeRegistry);
DefaultHttpClient httpClient = new DefaultHttpClient(connection);
httpClient.getCredentialsProvider().setCredentials(
new
AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, "HTTPAccess"),
new
UsernamePasswordCredentials("username", "password"));
HttpGet httpGet = new HttpGet("
https://192.168.0.100:443/cgi-bin/read.xml?);
HttpResponse response = httpClient.execute(httpGet);
System.out.println(response.getStatusLine());
Thanks for any comment
/Gerd
The information included in this e-mail and any files transmitted with it is strictly confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately by e-mail and delete this e-mail as well as any attachment from your system. If you are not the intended recipient you are not authorized to use and/or copy this message and/or attachment and/or disclose the contents to any other person.
Re: SSL self- signed- certicate trouble with
TrustSelfSignedStrategy()
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Fri, 2010-10-29 at 09:55 +0200, Gerhard Sinne wrote:
> Hi Oleg,
> thanks for taking the time.
>
> > Gerhard
> > There's nothing wrong with the code. Your expectations as to what
> TrustCelfSignedStrategy is
> > meant to do do seem wrong, though.
>
> Sorry, cannot follow. What do you mean ?
>
Self-signed != signed by one's own CA
> So the code is correct. Now what else is wrong ?
>
> From the API I read: (
> http://hc.apache.org/httpcomponents-client-dev/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
> )
> "A trust strategy that accepts self-signed certificates as trusted.
> Verification of all other certificates is done by the trust manager
> configured in the SSL context. "
>
> My https- server has a self-signed certificate. My expectation is that
> with this TrustCelfSignedStrategy() any certificate (including self-
> signed) is trusted and
> the connection to my https- server is granted.
>
Your expectation is wrong. TrustCelfSignedStrategy clears as trusted
only certificates that are self-signed (that is, there is only one
certificate in the certificate chain). In all other cases the
certificate chain will be verified against trust material specified in
the SSL context.
If you want to treat all certificates as trusted you will have to
implement a custom TrustStrategy
Oleg
>
> Best regards
> Gerd
>
> The information included in this e-mail and any files transmitted with it is strictly confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately by e-mail and delete this e-mail as well as any attachment from your system. If you are not the intended recipient you are not authorized to use and/or copy this message and/or attachment and/or disclose the contents to any other person.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL self- signed- certicate trouble with TrustSelfSignedStrategy()
Posted by Gerhard Sinne <GS...@orga-systems.com>.
Hi Oleg,
thanks for taking the time.
> Gerhard
> There's nothing wrong with the code. Your expectations as to what
TrustCelfSignedStrategy is
> meant to do do seem wrong, though.
Sorry, cannot follow. What do you mean ?
So the code is correct. Now what else is wrong ?
>From the API I read: (
http://hc.apache.org/httpcomponents-client-dev/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
)
"A trust strategy that accepts self-signed certificates as trusted.
Verification of all other certificates is done by the trust manager
configured in the SSL context. "
My https- server has a self-signed certificate. My expectation is that
with this TrustCelfSignedStrategy() any certificate (including self-
signed) is trusted and
the connection to my https- server is granted.
Best regards
Gerd
The information included in this e-mail and any files transmitted with it is strictly confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately by e-mail and delete this e-mail as well as any attachment from your system. If you are not the intended recipient you are not authorized to use and/or copy this message and/or attachment and/or disclose the contents to any other person.
Re: SSL self- signed- certicate trouble with TrustSelfSignedStrategy()
Posted by Oleg Kalnichevski <ol...@apache.org>.
"Gerhard Sinne" <GS...@orga-systems.com> wrote:
>Thanks Oleg for the quick reply,
>
>> > - Second, could somebody shed a light on this code which still
>fails
>with
>> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>> >
>>
>> You have to differentiate self-signed certificates from those signed
>by
>> non-trusted CA. The TrustSelfSignedStrategy causes HttpClient to
>bypass
>> the certificate checks for _self-signed_ certificates only.
>>
>> Hope this helps
>
>Sorry the problem persists.
>
>So why does this code still fail with
>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
>Changing the code to http (without 's') and everything is fine, so the
>
>user/password authentication is ok.
>
>Could you please take a look a the few lines of code :
>
> TrustStrategy trustStrategy = new
>TrustSelfSignedStrategy();
> X509HostnameVerifier hostnameVerifier = new
>AllowAllHostnameVerifier();
> SSLSocketFactory sslSf = new
>SSLSocketFactory(trustStrategy, hostnameVerifier);
>
> Scheme https = new Scheme("https", 443,
>sslSf);
> SchemeRegistry schemeRegistry = new SchemeRegistry();
> schemeRegistry.register(https);
>
> ClientConnectionManager connection = new
>ThreadSafeClientConnManager(schemeRegistry);
>
> DefaultHttpClient httpClient = new DefaultHttpClient(connection);
> httpClient.getCredentialsProvider().setCredentials(
> new
>AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, "HTTPAccess"),
> new
>UsernamePasswordCredentials("username", "password"));
>
> HttpGet httpGet = new HttpGet("
>https://192.168.0.100:443/cgi-bin/read.xml?);
> HttpResponse response = httpClient.execute(httpGet);
> System.out.println(response.getStatusLine());
>
>
>
>Thanks Regards
>/Gerd
>
>The information included in this e-mail and any files transmitted with
>it is strictly confidential and may be privileged or otherwise
>protected from disclosure. If you are not the intended recipient,
>please notify the sender immediately by e-mail and delete this e-mail
>as well as any attachment from your system. If you are not the intended
>recipient you are not authorized to use and/or copy this message and/or
>attachment and/or disclose the contents to any other person.
Gerhard
There's nothing wrong with the code. Your expectations as to what TrustCelfSignedStrategy is meant to do do seem wrong, though.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL self- signed- certicate trouble with TrustSelfSignedStrategy()
Posted by Gerhard Sinne <GS...@orga-systems.com>.
Thanks Oleg for the quick reply,
> > - Second, could somebody shed a light on this code which still fails
with
> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >
>
> You have to differentiate self-signed certificates from those signed by
> non-trusted CA. The TrustSelfSignedStrategy causes HttpClient to bypass
> the certificate checks for _self-signed_ certificates only.
>
> Hope this helps
Sorry the problem persists.
So why does this code still fail with
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Changing the code to http (without 's') and everything is fine, so the
user/password authentication is ok.
Could you please take a look a the few lines of code :
TrustStrategy trustStrategy = new
TrustSelfSignedStrategy();
X509HostnameVerifier hostnameVerifier = new
AllowAllHostnameVerifier();
SSLSocketFactory sslSf = new
SSLSocketFactory(trustStrategy, hostnameVerifier);
Scheme https = new Scheme("https", 443,
sslSf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(https);
ClientConnectionManager connection = new
ThreadSafeClientConnManager(schemeRegistry);
DefaultHttpClient httpClient = new DefaultHttpClient(connection);
httpClient.getCredentialsProvider().setCredentials(
new
AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, "HTTPAccess"),
new
UsernamePasswordCredentials("username", "password"));
HttpGet httpGet = new HttpGet("
https://192.168.0.100:443/cgi-bin/read.xml?);
HttpResponse response = httpClient.execute(httpGet);
System.out.println(response.getStatusLine());
Thanks Regards
/Gerd
The information included in this e-mail and any files transmitted with it is strictly confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately by e-mail and delete this e-mail as well as any attachment from your system. If you are not the intended recipient you are not authorized to use and/or copy this message and/or attachment and/or disclose the contents to any other person.
Re: SSL self- signed- certicate trouble with
TrustSelfSignedStrategy()
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2010-10-28 at 16:27 +0200, Gerhard Sinne wrote:
> Hi all,
> I have HTTP client implementing a self- signed- accpetance strategy using
> the TrustSelfSignedStrategy() of the apache HTTP Client 4.1Alpha2.
>
> - First question : Do I have to set the truststore system properties
> although I implemented a TrustSelfSignedStrategy () - Strategy ?
>
You do not.
> Like this way:
>
> System.setProperty("javax.net.ssl.trustStore", "My.trustStore");
> System.setProperty("javax.net.ssl.trustStorePassword", "MyPWD");
>
> I did not install any certificates globally in JRE/JDK with the keytool
> and also try to avoid this.
>
> - Second, could somebody shed a light on this code which still fails with
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
>
You have to differentiate self-signed certificates from those signed by
non-trusted CA. The TrustSelfSignedStrategy causes HttpClient to bypass
the certificate checks for _self-signed_ certificates only.
Hope this helps
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org