You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Oleg Kalnichevski <ol...@apache.org> on 2007/10/10 16:43:25 UTC
Re: Httpclient 3.1 with SSL - how do get the SSL peer certificates
for a particular request?
On Tue, 2007-10-09 at 13:53 -0700, Eric Johnson wrote:
> Perhaps I missed the documentation, but here's my problem:
>
> For our particular use of HttpClient (version 3.1), we'd like to be able
> to fetch the peer certificate chain for a particular request.
>
> The obvious place to start is to define our own protocol socket factory.
>
> Having done that, I can see perhaps caching the mapping of host to peer
> certificates in the protocol socket factory. Then, after any given
> request, my code can ask the protocol socket factory for the peer
> certificates for the domain I just connected to. This seems more
> complicated than it needs to be. I worry that this gets awkward, how do
> I maintain the correctness of the cache.
>
> I think it would make more sense to associate the certificate chain with
> the individual request. I just don't see an obvious way to do that.
>
> Any ideas how best to solve this?
>
Hi Eric
Unfortunately I have no good news for you. There is simply no elegant
way of solving this problem with HttpClient 3.x. Possible workarounds
differ in the degree of ugliness, but all are very ugly.
HttpClient 4.0 API is significantly more flexible and powerful. It
provides a reasonably elegant way of solving the problem (as well as
many other inherent deficiencies of the 3.x API), but it is still an
early ALPHA and is not expected to stabilize any time soon.
You'll have to pick a lesser of two evils depending on your particular
project circumstances and priorities.
Oleg
> -Eric.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: Httpclient 3.1 with SSL - how do get the SSL peer certificates for a particular request?
Posted by Julius Davies <ju...@gmail.com>.
It might be worthwhile to just open up a 2nd socket directly from your
application to get the peer cert chain. So just call "new
SSLSocket()" directly from *your* application! Don't forget to close
it!
--
yours,
Julius Davies
250-592-2284
http://juliusdavies.ca/
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: Httpclient 3.1 with SSL - how do get the SSL peer certificates
for a particular request?
Posted by Eric Johnson <er...@tibco.com>.
Hi Oleg,
A little slow on the up-take, I am. Thanks for taking the time to
respond. It is, alas, as I figured.
Looking forward to HttpComponents.... If only I had more time to
contribute like I used to.
-Eric.
Oleg Kalnichevski wrote:
> On Tue, 2007-10-09 at 13:53 -0700, Eric Johnson wrote:
>
>> Perhaps I missed the documentation, but here's my problem:
>>
>> For our particular use of HttpClient (version 3.1), we'd like to be able
>> to fetch the peer certificate chain for a particular request.
>>
>> The obvious place to start is to define our own protocol socket factory.
>>
>> Having done that, I can see perhaps caching the mapping of host to peer
>> certificates in the protocol socket factory. Then, after any given
>> request, my code can ask the protocol socket factory for the peer
>> certificates for the domain I just connected to. This seems more
>> complicated than it needs to be. I worry that this gets awkward, how do
>> I maintain the correctness of the cache.
>>
>> I think it would make more sense to associate the certificate chain with
>> the individual request. I just don't see an obvious way to do that.
>>
>> Any ideas how best to solve this?
>>
>>
>
> Hi Eric
>
> Unfortunately I have no good news for you. There is simply no elegant
> way of solving this problem with HttpClient 3.x. Possible workarounds
> differ in the degree of ugliness, but all are very ugly.
>
> HttpClient 4.0 API is significantly more flexible and powerful. It
> provides a reasonably elegant way of solving the problem (as well as
> many other inherent deficiencies of the 3.x API), but it is still an
> early ALPHA and is not expected to stabilize any time soon.
>
> You'll have to pick a lesser of two evils depending on your particular
> project circumstances and priorities.
>
> Oleg
>
>
>
>> -Eric.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org