You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Julius Davies <ju...@cucbc.com> on 2006/10/06 05:05:00 UTC
Re: How come my http-client is not presenting the certificate?
Hi, JT,
#1. Not possible. The client cert will be presented for all paths. This is because the socket is established before "GET /path" or "POST /path" is sent to the server. But I'm just being pedantic here.
[I think #1 can "appear" possible when servers use "sslServer.setWantClientAuth( true )" instead of "sslServer.setNeedClientAuth( true )." But the client cert will still be presented for the very first URL requested.]
#5. Can you try the "ping" utility with commons-ssl? After downloading "commons-ssl.jar", please type:
java -jar commons-ssl.jar
Hopefully the instructions that print out from that will be self-explanatory. Don't forget to include the "-t" for "target". I always forget! And I wrote it!
If you get any bind exceptions, try specifying a local port (such as 54321). There's one RHEL3 machine at my office that always complains about that for some reason, not sure why.
Can you show us the output the "Ping" utility gets back from your server? I'm especially interested in the HTTP headers you get back, or the SSL exceptions.
yours,
Julius
http://juliusdavies.ca/commons-ssl/
ps. please CC both httpclient-user and myself in any replies. I don't seem to get httpclient emails any more at work. I think we're having spam filtering issues... probably going to start subscribing from my gmail account instead... but I'm lazy...
==================================================
All:
1. The server is authenticating only on a certain
path.
2. I am using commons-ssl with httpclient
3. I used the EasySSLProtocolSocketFactory
4. I have set my KeyMaterial
5. When I hit the required authenticated
path/location, it seems that the client is not
presenting the cert.
6. I tested out using openssl and it works. I do see
the client certificate request from the server and the
client presents the correct cert.
I am confused.
Any help is much appreciated,
JT
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: [SPAM] - Re: How come my http-client is not presenting the
certificate? - Email has different SMTP TO: and MIME TO: fields in the
email addresses
Posted by Julius Davies <ju...@cucbc.com>.
ps. If you can get your server to set itself into WANT-CLIENT-AUTH mode
from the very beginning, things might work better. WANT-CLIENT-AUTH
mode still allows sockets that don't have client certificates to be
established.
Only NEED-CLIENT-AUTH mode disallows socket creation in those cases.
So if your server was setup with WANT-CLIENT-AUTH mode right from the
beginning, httpclient would be able to send the client cert on all
requests, and not have to worry about this situation where a client cert
is asked for right in the middle of a request (after the GET or POST
line has been sent!).
But I would still like to see what it takes to get commons-ssl and
httpclient to work flawlessly with the scenario you've identified.
yours,
Julius
On Fri, 2006-06-10 at 13:09 -0700, Julius Davies wrote:
> Hi, James,
>
> Wow! A person can call the following in the middle of a TCP/IP session:
>
> // This happens in the server:
> // SSLSocket "s" came from an serverSocket.accept() call.
> s.setNeedClientAuth( true );
> s.getSession().invalidate();
> s.startHandshake();
>
> I didn't know that.
>
> But commons-ssl didn't seem to mind at all. I just needed to alter the
> test code a little to see that it worked. Add this at the top:
>
> final SSLSocket[] socket = new SSLSocket[ 1 ];
>
> Inside the "SSLWrapperFactory" anonymous inner class, add this:
>
> socket[ 0 ] = s;
>
> After everything is done, take a look at the client certs yet again:
>
> Certificate[] certs = socket[ 0 ].getSession().getLocalCertificates();
> if ( certs != null )
> {
> System.out.println( "client certs:" );
> for ( int i = 0; i < certs.length; i++ )
> {
> X509Certificate c = (X509Certificate) certs[ i ];
> System.out.println( Certificates.toString( c ) );
> }
> }
> else
> {
> System.out.println( "client certs: null" );
> }
>
>
> yours,
>
> Julius
>
>
>
> On Fri, 2006-06-10 at 11:46 -0700, James Vu wrote:
> > Julius:
> >
> > I just want to reemphasize that the server DOES NOT
> > lock down the port. It only lock dow a certain path.
> > So the server will not send a certificcate request
> > until the client send the GET /whatever HTTP/1.1
> >
> > Anyhow, I ran your code and I got the "client certs:
> > null" message.
> >
> > thanks again,
> > JT
> >
> >
> > --- Julius Davies <ju...@cucbc.com> wrote:
> >
> > > Hi, James,
> > >
> > >
> > > I double checked that client certs are still working
> > > with
> > > "commons-ssl-0.3.0.jar". I used the code below.
> > >
> > > When I try connecting to an SSL server that doesn't
> > > require client
> > > certs, I get "client certs: null" (e.g.
> > > www.cucbc.com:443).
> > >
> > > When I try connecting to a server that does require
> > > client certs, they
> > > show up.
> > >
> > > If I remove this line, then the socket can't be
> > > established:
> > >
> > > // easy.setKeyMaterial( km );
> > >
> > > But that's because the server I'm testing against
> > > REQUIRES client certs,
> > > rather than just merely WANTING client certs.
> > >
> > > Can you try the code below? I'm using the
> > > "SSLWrapperFactory" interface
> > > to look closely at the socket before it's returned
> > > up to HttpClient.
> > >
> > > If you're still having problems, I'll try setting up
> > > a proper
> > > WANT-CLIENT-AUTH server to further test. For now
> > > I'm being lazy and
> > > just relying on a NEED-CLIENT-AUTH server I have
> > > access to.
> > >
> > >
> > > yours,
> > >
> > > Julius
> > >
> > > http://juliusdavies.ca/
> > >
> > >
> > > public static void main( String[] args ) throws
> > > Exception
> > > {
> > >
> > > EasySSLProtocolSocketFactory easy = new
> > > EasySSLProtocolSocketFactory();
> > > SSLWrapperFactory w = new SSLWrapperFactory()
> > > {
> > > public SSLSocket wrap( SSLSocket s ) throws
> > > IOException
> > > {
> > > s.getSession().getPeerCertificates();
> > > System.out.println( "wrap: " + s );
> > > Certificate[] certs =
> > > s.getSession().getLocalCertificates();
> > > if ( certs != null )
> > > {
> > > System.out.println( "client certs:" );
> > > for ( int i = 0; i < certs.length; i++ )
> > > {
> > > X509Certificate c = (X509Certificate) certs[
> > > i ];
> > > System.out.println( Certificates.toString( c
> > > ) );
> > > }
> > > }
> > > else
> > > {
> > > System.out.println( "client certs: null" );
> > > }
> > > return s;
> > > }
> > >
> > > public SSLServerSocket wrap( SSLServerSocket s )
> > > throws IOException
> > > {
> > > return s;
> > > }
> > > };
> > >
> > > // These next three lines are where commons-ssl fits
> > > in:
> > > KeyMaterial km = new KeyMaterial(
> > > "/path/to/cert.p12", "changeit".toCharArray() );
> > > easy.setSSLWrapperFactory( w );
> > > easy.setKeyMaterial( km );
> > >
> > > // Back to usual "EasySSLProtocolSocketFactory" as
> > > detailed in
> > > // httpclient-contrib javadocs:
> > > Protocol easyhttps = new Protocol( "https", easy,
> > > 443 );
> > > Protocol.registerProtocol( "https", easyhttps );
> > > HttpClient client = new HttpClient();
> > > HeadMethod httpget = new HeadMethod(
> > > "https://www.cucbc.com:443/" );
> > > client.executeMethod( httpget );
> > > Header[] headers = httpget.getResponseHeaders();
> > > for ( int i = 0; i < headers.length; i++ )
> > > {
> > > Header h = headers[ i ];
> > > System.out.println( h.getName() + ":" +
> > > h.getValue() );
> > > }
> > >
> > > }
> > >
> > >
> > > On Fri, 2006-06-10 at 08:09 -0700, James Vu wrote:
> > > > Julius:
> > > >
> > > > Again thanks for your reply. I did use
> > > > EasySSLProtocolSocketFactory. This is why the
> > > client
> > > > was able to make thru the first SSL handshake
> > > because
> > > > it is able to trust any CA. (As a side note, I
> > > think
> > > > there is sufficient samples/docs for using
> > > > EasySSLProtocolSocketFactory.)
> > > >
> > > > I also tried the TrustSSLProtocolSocketFactory
> > > with
> > > > both the server certificate and the signer of the
> > > > server certificate as the trust chain. Here it
> > > also
> > > > passed thru the first SSL handshake but did not
> > > seem
> > > > to present the client certificate during the
> > > second
> > > > handshake.
> > > >
> > > > thanks,
> > > > JT
> > > >
> > > > Here is my test client code:
> > > >
> > > > mport org.apache.commons.httpclient.HttpClient;
> > > > import
> > > > org.apache.commons.httpclient.methods.GetMethod;
> > > > import
> > > > org.apache.commons.httpclient.protocol.Protocol;
> > > > import org.apache.commons.ssl.HttpSecureProtocol;
> > > > import org.apache.commons.ssl.TrustMaterial;
> > > > import org.apache.commons.ssl.KeyMaterial;
> > > >
> > > > import
> > > org.apache.commons.httpclient.contrib.ssl.*;
> > > >
> > > > import javax.net.ssl.SSLHandshakeException;
> > > > import java.net.URL;
> > > >
> > > > public class SslClientExample {
> > > >
> > > > /* argument 0: host
> > > > 1: port number */
> > > > public static void main( String[] args )
> > > > throws Exception
> > > > {
> > > > HttpSecureProtocol f =
> > > > new
> > > EasySSLProtocolSocketFactory();
> > > >
> > > > //HttpSecureProtocol f = new
> > > HttpSecureProtocol();
> > > >
> > > > // here's where we start trusting server's CA:
> > > > //f.addTrustMaterial(new TrustMaterial(
> > > > // "my_cacerts.jks",
> > > > //
> > > "changeit".toCharArray()));
> > > > f.setKeyMaterial (new
> > > KeyMaterial("mycert.p12",
> > > >
> > > "changeit".toCharArray()));
> > > > Protocol trustHttps = new Protocol("https",
> > > > f,
> > > >
> > > Integer.parseInt(args[1]));
> > > > Protocol.registerProtocol("https",
> > > trustHttps);
> > > >
> > > > HttpClient client = new HttpClient();
> > > > GetMethod httpget = new GetMethod(args[0]);
> > > > client.executeMethod(httpget);
> > > > String s = httpget.getStatusLine().toString();
> > > > System.out.println( "HTTPClient: " + s );
> > > > System.out.println(
> > > >
> > > httpget.getResponseBodyAsString());
> > > > }
> > > > }
> > > >
> > > >
> > > > --- Julius Davies <ju...@cucbc.com> wrote:
> > > >
> > >
> > === message truncated ===
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
--
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 416-652-0183
Cel: 647-232-7571
1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by Julius Davies <ju...@cucbc.com>.
Hi, James,
Wow! A person can call the following in the middle of a TCP/IP session:
// This happens in the server:
// SSLSocket "s" came from an serverSocket.accept() call.
s.setNeedClientAuth( true );
s.getSession().invalidate();
s.startHandshake();
I didn't know that.
But commons-ssl didn't seem to mind at all. I just needed to alter the
test code a little to see that it worked. Add this at the top:
final SSLSocket[] socket = new SSLSocket[ 1 ];
Inside the "SSLWrapperFactory" anonymous inner class, add this:
socket[ 0 ] = s;
After everything is done, take a look at the client certs yet again:
Certificate[] certs = socket[ 0 ].getSession().getLocalCertificates();
if ( certs != null )
{
System.out.println( "client certs:" );
for ( int i = 0; i < certs.length; i++ )
{
X509Certificate c = (X509Certificate) certs[ i ];
System.out.println( Certificates.toString( c ) );
}
}
else
{
System.out.println( "client certs: null" );
}
yours,
Julius
On Fri, 2006-06-10 at 11:46 -0700, James Vu wrote:
> Julius:
>
> I just want to reemphasize that the server DOES NOT
> lock down the port. It only lock dow a certain path.
> So the server will not send a certificcate request
> until the client send the GET /whatever HTTP/1.1
>
> Anyhow, I ran your code and I got the "client certs:
> null" message.
>
> thanks again,
> JT
>
>
> --- Julius Davies <ju...@cucbc.com> wrote:
>
> > Hi, James,
> >
> >
> > I double checked that client certs are still working
> > with
> > "commons-ssl-0.3.0.jar". I used the code below.
> >
> > When I try connecting to an SSL server that doesn't
> > require client
> > certs, I get "client certs: null" (e.g.
> > www.cucbc.com:443).
> >
> > When I try connecting to a server that does require
> > client certs, they
> > show up.
> >
> > If I remove this line, then the socket can't be
> > established:
> >
> > // easy.setKeyMaterial( km );
> >
> > But that's because the server I'm testing against
> > REQUIRES client certs,
> > rather than just merely WANTING client certs.
> >
> > Can you try the code below? I'm using the
> > "SSLWrapperFactory" interface
> > to look closely at the socket before it's returned
> > up to HttpClient.
> >
> > If you're still having problems, I'll try setting up
> > a proper
> > WANT-CLIENT-AUTH server to further test. For now
> > I'm being lazy and
> > just relying on a NEED-CLIENT-AUTH server I have
> > access to.
> >
> >
> > yours,
> >
> > Julius
> >
> > http://juliusdavies.ca/
> >
> >
> > public static void main( String[] args ) throws
> > Exception
> > {
> >
> > EasySSLProtocolSocketFactory easy = new
> > EasySSLProtocolSocketFactory();
> > SSLWrapperFactory w = new SSLWrapperFactory()
> > {
> > public SSLSocket wrap( SSLSocket s ) throws
> > IOException
> > {
> > s.getSession().getPeerCertificates();
> > System.out.println( "wrap: " + s );
> > Certificate[] certs =
> > s.getSession().getLocalCertificates();
> > if ( certs != null )
> > {
> > System.out.println( "client certs:" );
> > for ( int i = 0; i < certs.length; i++ )
> > {
> > X509Certificate c = (X509Certificate) certs[
> > i ];
> > System.out.println( Certificates.toString( c
> > ) );
> > }
> > }
> > else
> > {
> > System.out.println( "client certs: null" );
> > }
> > return s;
> > }
> >
> > public SSLServerSocket wrap( SSLServerSocket s )
> > throws IOException
> > {
> > return s;
> > }
> > };
> >
> > // These next three lines are where commons-ssl fits
> > in:
> > KeyMaterial km = new KeyMaterial(
> > "/path/to/cert.p12", "changeit".toCharArray() );
> > easy.setSSLWrapperFactory( w );
> > easy.setKeyMaterial( km );
> >
> > // Back to usual "EasySSLProtocolSocketFactory" as
> > detailed in
> > // httpclient-contrib javadocs:
> > Protocol easyhttps = new Protocol( "https", easy,
> > 443 );
> > Protocol.registerProtocol( "https", easyhttps );
> > HttpClient client = new HttpClient();
> > HeadMethod httpget = new HeadMethod(
> > "https://www.cucbc.com:443/" );
> > client.executeMethod( httpget );
> > Header[] headers = httpget.getResponseHeaders();
> > for ( int i = 0; i < headers.length; i++ )
> > {
> > Header h = headers[ i ];
> > System.out.println( h.getName() + ":" +
> > h.getValue() );
> > }
> >
> > }
> >
> >
> > On Fri, 2006-06-10 at 08:09 -0700, James Vu wrote:
> > > Julius:
> > >
> > > Again thanks for your reply. I did use
> > > EasySSLProtocolSocketFactory. This is why the
> > client
> > > was able to make thru the first SSL handshake
> > because
> > > it is able to trust any CA. (As a side note, I
> > think
> > > there is sufficient samples/docs for using
> > > EasySSLProtocolSocketFactory.)
> > >
> > > I also tried the TrustSSLProtocolSocketFactory
> > with
> > > both the server certificate and the signer of the
> > > server certificate as the trust chain. Here it
> > also
> > > passed thru the first SSL handshake but did not
> > seem
> > > to present the client certificate during the
> > second
> > > handshake.
> > >
> > > thanks,
> > > JT
> > >
> > > Here is my test client code:
> > >
> > > mport org.apache.commons.httpclient.HttpClient;
> > > import
> > > org.apache.commons.httpclient.methods.GetMethod;
> > > import
> > > org.apache.commons.httpclient.protocol.Protocol;
> > > import org.apache.commons.ssl.HttpSecureProtocol;
> > > import org.apache.commons.ssl.TrustMaterial;
> > > import org.apache.commons.ssl.KeyMaterial;
> > >
> > > import
> > org.apache.commons.httpclient.contrib.ssl.*;
> > >
> > > import javax.net.ssl.SSLHandshakeException;
> > > import java.net.URL;
> > >
> > > public class SslClientExample {
> > >
> > > /* argument 0: host
> > > 1: port number */
> > > public static void main( String[] args )
> > > throws Exception
> > > {
> > > HttpSecureProtocol f =
> > > new
> > EasySSLProtocolSocketFactory();
> > >
> > > //HttpSecureProtocol f = new
> > HttpSecureProtocol();
> > >
> > > // here's where we start trusting server's CA:
> > > //f.addTrustMaterial(new TrustMaterial(
> > > // "my_cacerts.jks",
> > > //
> > "changeit".toCharArray()));
> > > f.setKeyMaterial (new
> > KeyMaterial("mycert.p12",
> > >
> > "changeit".toCharArray()));
> > > Protocol trustHttps = new Protocol("https",
> > > f,
> > >
> > Integer.parseInt(args[1]));
> > > Protocol.registerProtocol("https",
> > trustHttps);
> > >
> > > HttpClient client = new HttpClient();
> > > GetMethod httpget = new GetMethod(args[0]);
> > > client.executeMethod(httpget);
> > > String s = httpget.getStatusLine().toString();
> > > System.out.println( "HTTPClient: " + s );
> > > System.out.println(
> > >
> > httpget.getResponseBodyAsString());
> > > }
> > > }
> > >
> > >
> > > --- Julius Davies <ju...@cucbc.com> wrote:
> > >
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
--
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 416-652-0183
Cel: 647-232-7571
1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by James Vu <jt...@yahoo.com>.
Julius:
I just want to reemphasize that the server DOES NOT
lock down the port. It only lock dow a certain path.
So the server will not send a certificcate request
until the client send the GET /whatever HTTP/1.1
Anyhow, I ran your code and I got the "client certs:
null" message.
thanks again,
JT
--- Julius Davies <ju...@cucbc.com> wrote:
> Hi, James,
>
>
> I double checked that client certs are still working
> with
> "commons-ssl-0.3.0.jar". I used the code below.
>
> When I try connecting to an SSL server that doesn't
> require client
> certs, I get "client certs: null" (e.g.
> www.cucbc.com:443).
>
> When I try connecting to a server that does require
> client certs, they
> show up.
>
> If I remove this line, then the socket can't be
> established:
>
> // easy.setKeyMaterial( km );
>
> But that's because the server I'm testing against
> REQUIRES client certs,
> rather than just merely WANTING client certs.
>
> Can you try the code below? I'm using the
> "SSLWrapperFactory" interface
> to look closely at the socket before it's returned
> up to HttpClient.
>
> If you're still having problems, I'll try setting up
> a proper
> WANT-CLIENT-AUTH server to further test. For now
> I'm being lazy and
> just relying on a NEED-CLIENT-AUTH server I have
> access to.
>
>
> yours,
>
> Julius
>
> http://juliusdavies.ca/
>
>
> public static void main( String[] args ) throws
> Exception
> {
>
> EasySSLProtocolSocketFactory easy = new
> EasySSLProtocolSocketFactory();
> SSLWrapperFactory w = new SSLWrapperFactory()
> {
> public SSLSocket wrap( SSLSocket s ) throws
> IOException
> {
> s.getSession().getPeerCertificates();
> System.out.println( "wrap: " + s );
> Certificate[] certs =
> s.getSession().getLocalCertificates();
> if ( certs != null )
> {
> System.out.println( "client certs:" );
> for ( int i = 0; i < certs.length; i++ )
> {
> X509Certificate c = (X509Certificate) certs[
> i ];
> System.out.println( Certificates.toString( c
> ) );
> }
> }
> else
> {
> System.out.println( "client certs: null" );
> }
> return s;
> }
>
> public SSLServerSocket wrap( SSLServerSocket s )
> throws IOException
> {
> return s;
> }
> };
>
> // These next three lines are where commons-ssl fits
> in:
> KeyMaterial km = new KeyMaterial(
> "/path/to/cert.p12", "changeit".toCharArray() );
> easy.setSSLWrapperFactory( w );
> easy.setKeyMaterial( km );
>
> // Back to usual "EasySSLProtocolSocketFactory" as
> detailed in
> // httpclient-contrib javadocs:
> Protocol easyhttps = new Protocol( "https", easy,
> 443 );
> Protocol.registerProtocol( "https", easyhttps );
> HttpClient client = new HttpClient();
> HeadMethod httpget = new HeadMethod(
> "https://www.cucbc.com:443/" );
> client.executeMethod( httpget );
> Header[] headers = httpget.getResponseHeaders();
> for ( int i = 0; i < headers.length; i++ )
> {
> Header h = headers[ i ];
> System.out.println( h.getName() + ":" +
> h.getValue() );
> }
>
> }
>
>
> On Fri, 2006-06-10 at 08:09 -0700, James Vu wrote:
> > Julius:
> >
> > Again thanks for your reply. I did use
> > EasySSLProtocolSocketFactory. This is why the
> client
> > was able to make thru the first SSL handshake
> because
> > it is able to trust any CA. (As a side note, I
> think
> > there is sufficient samples/docs for using
> > EasySSLProtocolSocketFactory.)
> >
> > I also tried the TrustSSLProtocolSocketFactory
> with
> > both the server certificate and the signer of the
> > server certificate as the trust chain. Here it
> also
> > passed thru the first SSL handshake but did not
> seem
> > to present the client certificate during the
> second
> > handshake.
> >
> > thanks,
> > JT
> >
> > Here is my test client code:
> >
> > mport org.apache.commons.httpclient.HttpClient;
> > import
> > org.apache.commons.httpclient.methods.GetMethod;
> > import
> > org.apache.commons.httpclient.protocol.Protocol;
> > import org.apache.commons.ssl.HttpSecureProtocol;
> > import org.apache.commons.ssl.TrustMaterial;
> > import org.apache.commons.ssl.KeyMaterial;
> >
> > import
> org.apache.commons.httpclient.contrib.ssl.*;
> >
> > import javax.net.ssl.SSLHandshakeException;
> > import java.net.URL;
> >
> > public class SslClientExample {
> >
> > /* argument 0: host
> > 1: port number */
> > public static void main( String[] args )
> > throws Exception
> > {
> > HttpSecureProtocol f =
> > new
> EasySSLProtocolSocketFactory();
> >
> > //HttpSecureProtocol f = new
> HttpSecureProtocol();
> >
> > // here's where we start trusting server's CA:
> > //f.addTrustMaterial(new TrustMaterial(
> > // "my_cacerts.jks",
> > //
> "changeit".toCharArray()));
> > f.setKeyMaterial (new
> KeyMaterial("mycert.p12",
> >
> "changeit".toCharArray()));
> > Protocol trustHttps = new Protocol("https",
> > f,
> >
> Integer.parseInt(args[1]));
> > Protocol.registerProtocol("https",
> trustHttps);
> >
> > HttpClient client = new HttpClient();
> > GetMethod httpget = new GetMethod(args[0]);
> > client.executeMethod(httpget);
> > String s = httpget.getStatusLine().toString();
> > System.out.println( "HTTPClient: " + s );
> > System.out.println(
> >
> httpget.getResponseBodyAsString());
> > }
> > }
> >
> >
> > --- Julius Davies <ju...@cucbc.com> wrote:
> >
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by Julius Davies <ju...@cucbc.com>.
Hi, James,
I double checked that client certs are still working with
"commons-ssl-0.3.0.jar". I used the code below.
When I try connecting to an SSL server that doesn't require client
certs, I get "client certs: null" (e.g. www.cucbc.com:443).
When I try connecting to a server that does require client certs, they
show up.
If I remove this line, then the socket can't be established:
// easy.setKeyMaterial( km );
But that's because the server I'm testing against REQUIRES client certs,
rather than just merely WANTING client certs.
Can you try the code below? I'm using the "SSLWrapperFactory" interface
to look closely at the socket before it's returned up to HttpClient.
If you're still having problems, I'll try setting up a proper
WANT-CLIENT-AUTH server to further test. For now I'm being lazy and
just relying on a NEED-CLIENT-AUTH server I have access to.
yours,
Julius
http://juliusdavies.ca/
public static void main( String[] args ) throws Exception
{
EasySSLProtocolSocketFactory easy = new EasySSLProtocolSocketFactory();
SSLWrapperFactory w = new SSLWrapperFactory()
{
public SSLSocket wrap( SSLSocket s ) throws IOException
{
s.getSession().getPeerCertificates();
System.out.println( "wrap: " + s );
Certificate[] certs = s.getSession().getLocalCertificates();
if ( certs != null )
{
System.out.println( "client certs:" );
for ( int i = 0; i < certs.length; i++ )
{
X509Certificate c = (X509Certificate) certs[ i ];
System.out.println( Certificates.toString( c ) );
}
}
else
{
System.out.println( "client certs: null" );
}
return s;
}
public SSLServerSocket wrap( SSLServerSocket s ) throws IOException
{
return s;
}
};
// These next three lines are where commons-ssl fits in:
KeyMaterial km = new KeyMaterial( "/path/to/cert.p12", "changeit".toCharArray() );
easy.setSSLWrapperFactory( w );
easy.setKeyMaterial( km );
// Back to usual "EasySSLProtocolSocketFactory" as detailed in
// httpclient-contrib javadocs:
Protocol easyhttps = new Protocol( "https", easy, 443 );
Protocol.registerProtocol( "https", easyhttps );
HttpClient client = new HttpClient();
HeadMethod httpget = new HeadMethod( "https://www.cucbc.com:443/" );
client.executeMethod( httpget );
Header[] headers = httpget.getResponseHeaders();
for ( int i = 0; i < headers.length; i++ )
{
Header h = headers[ i ];
System.out.println( h.getName() + ":" + h.getValue() );
}
}
On Fri, 2006-06-10 at 08:09 -0700, James Vu wrote:
> Julius:
>
> Again thanks for your reply. I did use
> EasySSLProtocolSocketFactory. This is why the client
> was able to make thru the first SSL handshake because
> it is able to trust any CA. (As a side note, I think
> there is sufficient samples/docs for using
> EasySSLProtocolSocketFactory.)
>
> I also tried the TrustSSLProtocolSocketFactory with
> both the server certificate and the signer of the
> server certificate as the trust chain. Here it also
> passed thru the first SSL handshake but did not seem
> to present the client certificate during the second
> handshake.
>
> thanks,
> JT
>
> Here is my test client code:
>
> mport org.apache.commons.httpclient.HttpClient;
> import
> org.apache.commons.httpclient.methods.GetMethod;
> import
> org.apache.commons.httpclient.protocol.Protocol;
> import org.apache.commons.ssl.HttpSecureProtocol;
> import org.apache.commons.ssl.TrustMaterial;
> import org.apache.commons.ssl.KeyMaterial;
>
> import org.apache.commons.httpclient.contrib.ssl.*;
>
> import javax.net.ssl.SSLHandshakeException;
> import java.net.URL;
>
> public class SslClientExample {
>
> /* argument 0: host
> 1: port number */
> public static void main( String[] args )
> throws Exception
> {
> HttpSecureProtocol f =
> new EasySSLProtocolSocketFactory();
>
> //HttpSecureProtocol f = new HttpSecureProtocol();
>
> // here's where we start trusting server's CA:
> //f.addTrustMaterial(new TrustMaterial(
> // "my_cacerts.jks",
> // "changeit".toCharArray()));
> f.setKeyMaterial (new KeyMaterial("mycert.p12",
> "changeit".toCharArray()));
> Protocol trustHttps = new Protocol("https",
> f,
> Integer.parseInt(args[1]));
> Protocol.registerProtocol("https", trustHttps);
>
> HttpClient client = new HttpClient();
> GetMethod httpget = new GetMethod(args[0]);
> client.executeMethod(httpget);
> String s = httpget.getStatusLine().toString();
> System.out.println( "HTTPClient: " + s );
> System.out.println(
> httpget.getResponseBodyAsString());
> }
> }
>
>
> --- Julius Davies <ju...@cucbc.com> wrote:
>
> > James,
> >
> > Hope you don't mind me switching this conversation
> > to "httpclient-user"
> > instead of "httpclient-dev".
> >
> > I think the results below show that commons-ssl is
> > able to present the
> > client certificate. I should probably fix things up
> > a little to make
> > doubly sure of that (the commons-ssl "ping" utility
> > is only showing the
> > server certs in its output), but for now let's focus
> > on your code
> > instead.
> >
> > #1. Are you using EasySSLProtocolSocketFactory like
> > this? There is no
> > documentation actually telling you to do this, so I
> > don't blame you if
> > you missed this:
> >
> > EasySSLProtocolSocketFactory easy = new
> > EasySSLProtocolSocketFactory();
> >
> > // These next two lines are where commons-ssl fits
> > in:
> > KeyMaterial km = new KeyMaterial(
> > "/path/to/cert.jks" );
> > easy.setKeyMaterial( km );
> >
> > // Back to usual "EasySSLProtocolSocketFactory" as
> > detailed in
> > // httpclient-contrib javadocs:
> > Protocol easyhttps = new Protocol("https", easy,
> > 443);
> > Protocol.registerProtocol("https", easyhttps);
> > HttpClient client = new HttpClient();
> > GetMethod httpget = new
> > GetMethod("https://localhost/");
> > client.executeMethod(httpget);
> >
> >
> > #2. I would actually recommend against using
> > EasySSLProtocolSocketFactory in production
> > environments. Instead I
> > would use the Ping utility to download the server
> > cert you want to trust
> > (cut & paste the base64 PEM output into a separate
> > file), and then use
> > AuthSSLProtocolSocketFactory instead.
> >
> > But if you do that, you will have to also deal with
> > server cert expiry,
> > which can be annoying. Mind you, if you're using
> > client certs, you
> > already have to deal with client cert expiry!
> >
> >
> > yours,
> >
> > Julius
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> >
--
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 416-652-0183
Cel: 647-232-7571
1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by James Vu <jt...@yahoo.com>.
Julius:
Again thanks for your reply. I did use
EasySSLProtocolSocketFactory. This is why the client
was able to make thru the first SSL handshake because
it is able to trust any CA. (As a side note, I think
there is sufficient samples/docs for using
EasySSLProtocolSocketFactory.)
I also tried the TrustSSLProtocolSocketFactory with
both the server certificate and the signer of the
server certificate as the trust chain. Here it also
passed thru the first SSL handshake but did not seem
to present the client certificate during the second
handshake.
thanks,
JT
Here is my test client code:
mport org.apache.commons.httpclient.HttpClient;
import
org.apache.commons.httpclient.methods.GetMethod;
import
org.apache.commons.httpclient.protocol.Protocol;
import org.apache.commons.ssl.HttpSecureProtocol;
import org.apache.commons.ssl.TrustMaterial;
import org.apache.commons.ssl.KeyMaterial;
import org.apache.commons.httpclient.contrib.ssl.*;
import javax.net.ssl.SSLHandshakeException;
import java.net.URL;
public class SslClientExample {
/* argument 0: host
1: port number */
public static void main( String[] args )
throws Exception
{
HttpSecureProtocol f =
new EasySSLProtocolSocketFactory();
//HttpSecureProtocol f = new HttpSecureProtocol();
// here's where we start trusting server's CA:
//f.addTrustMaterial(new TrustMaterial(
// "my_cacerts.jks",
// "changeit".toCharArray()));
f.setKeyMaterial (new KeyMaterial("mycert.p12",
"changeit".toCharArray()));
Protocol trustHttps = new Protocol("https",
f,
Integer.parseInt(args[1]));
Protocol.registerProtocol("https", trustHttps);
HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod(args[0]);
client.executeMethod(httpget);
String s = httpget.getStatusLine().toString();
System.out.println( "HTTPClient: " + s );
System.out.println(
httpget.getResponseBodyAsString());
}
}
--- Julius Davies <ju...@cucbc.com> wrote:
> James,
>
> Hope you don't mind me switching this conversation
> to "httpclient-user"
> instead of "httpclient-dev".
>
> I think the results below show that commons-ssl is
> able to present the
> client certificate. I should probably fix things up
> a little to make
> doubly sure of that (the commons-ssl "ping" utility
> is only showing the
> server certs in its output), but for now let's focus
> on your code
> instead.
>
> #1. Are you using EasySSLProtocolSocketFactory like
> this? There is no
> documentation actually telling you to do this, so I
> don't blame you if
> you missed this:
>
> EasySSLProtocolSocketFactory easy = new
> EasySSLProtocolSocketFactory();
>
> // These next two lines are where commons-ssl fits
> in:
> KeyMaterial km = new KeyMaterial(
> "/path/to/cert.jks" );
> easy.setKeyMaterial( km );
>
> // Back to usual "EasySSLProtocolSocketFactory" as
> detailed in
> // httpclient-contrib javadocs:
> Protocol easyhttps = new Protocol("https", easy,
> 443);
> Protocol.registerProtocol("https", easyhttps);
> HttpClient client = new HttpClient();
> GetMethod httpget = new
> GetMethod("https://localhost/");
> client.executeMethod(httpget);
>
>
> #2. I would actually recommend against using
> EasySSLProtocolSocketFactory in production
> environments. Instead I
> would use the Ping utility to download the server
> cert you want to trust
> (cut & paste the base64 PEM output into a separate
> file), and then use
> AuthSSLProtocolSocketFactory instead.
>
> But if you do that, you will have to also deal with
> server cert expiry,
> which can be annoying. Mind you, if you're using
> client certs, you
> already have to deal with client cert expiry!
>
>
> yours,
>
> Julius
>
> http://juliusdavies.ca/commons-ssl/
>
>
>
> On Fri, 2006-06-10 at 03:56 -0700, James Vu wrote:
> > Julius:
> >
> > thanks for your reply. Here is what I got from
> > running java -jar commons-ssl.jar -t <host>:<port>
> -c
> > <cert.jks> -p <password>
> >
> >
> > java.lang.NoClassDefFoundError:
> >
>
org/bouncy/castle/jce/provider/JDKX509CertificateFactory
> > Wrinting:
> >
>
=======================================================
> > HEAD / HTTP/1.1
> > Host: ...
> >
> > Reading:
> >
>
=======================================================
> > HTTP/1.0 200 OK
> > Server: Netscape Certificate Server: https
> > Date: ....
> >
> > Server Certificate Chain for: [<host>:<port>]
> >
>
=======================================================
> > cert3
> > Valid: <effective date> - <ending date>
> > s: CN=cert3,OU=Servers,...
> > i: CN=DEV-TEST Authority, OU=Servers, ...
> >
> > -----BEGIN CERTIFICATE-----
> > ..........
> > -----END CERTIFICATE-----
> > DEV-TEST Authority
> > Valid: <effective date> - <ending date>
> > s: CN=DEV-TEST Authority,OU=Servers,...
> > i: self-signed
> >
> > -----BEGIN CERTIFICATE-----
> > ..........
> > -----END CERTIFICATE-----
> >
> >
> >
> > What can you make of this?
> > Thanks,
> > JT
> >
> > PS: I have been tracing this for a while, and I
> > notice that there are 2 handshake (as you would
> > probably know this already). The first handshake
> is
> > the establishment of the ssl which the client was
> able
> > to trust the server's certificate or chain (this
> > worked). The second handshake is actually when we
> hit
> > the require authenticate path (GET /lockdownpath
> > HTTP/1.1). It is here that java did not either
> read
> > the certificate request or not able to present the
> > client
> > certificate at all thus server refuse the entry.
> I
> > look at the server logs and it states that the
> client
> > did not present any certificate.
> > --- Julius Davies <ju...@cucbc.com> wrote:
> >
> > > Hi, JT,
> > >
> > > #1. Not possible. The client cert will be
> > > presented for all paths. This is because the
> socket
> > > is established before "GET /path" or "POST
> /path" is
> > > sent to the server. But I'm just being pedantic
> > > here.
> > >
> > > [I think #1 can "appear" possible when servers
> use
> > > "sslServer.setWantClientAuth( true )" instead of
> > > "sslServer.setNeedClientAuth( true )." But the
> > > client cert will still be presented for the very
> > > first URL requested.]
> > >
> > > #5. Can you try the "ping" utility with
> > > commons-ssl? After downloading
> "commons-ssl.jar",
> > > please type:
> > >
> > > java -jar commons-ssl.jar
> > >
> > > Hopefully the instructions that print out from
> that
> > > will be self-explanatory. Don't forget to
> include
> > > the "-t" for "target". I always forget! And I
> > > wrote it!
> > >
> > > If you get any bind exceptions, try specifying a
> > > local port (such as 54321). There's one RHEL3
> > > machine at my office that always complains about
> > > that for some reason, not sure why.
> > >
> > > Can you show us the output the "Ping" utility
> gets
> > > back from your server? I'm especially
> interested in
> > > the HTTP headers you get back, or the SSL
> > > exceptions.
> > >
> > >
> > > yours,
> > >
> > > Julius
> > >
> > > http://juliusdavies.ca/commons-ssl/
> > >
> > > ps. please CC both httpclient-user and myself
> in
> > > any replies. I don't seem to get httpclient
> emails
> > > any more at work. I think we're having spam
> > > filtering issues... probably going to start
> > > subscribing from my gmail account instead...
> but
> > > I'm lazy...
> > >
> > >
> ==================================================
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by Julius Davies <ju...@cucbc.com>.
James,
Hope you don't mind me switching this conversation to "httpclient-user"
instead of "httpclient-dev".
I think the results below show that commons-ssl is able to present the
client certificate. I should probably fix things up a little to make
doubly sure of that (the commons-ssl "ping" utility is only showing the
server certs in its output), but for now let's focus on your code
instead.
#1. Are you using EasySSLProtocolSocketFactory like this? There is no
documentation actually telling you to do this, so I don't blame you if
you missed this:
EasySSLProtocolSocketFactory easy = new EasySSLProtocolSocketFactory();
// These next two lines are where commons-ssl fits in:
KeyMaterial km = new KeyMaterial( "/path/to/cert.jks" );
easy.setKeyMaterial( km );
// Back to usual "EasySSLProtocolSocketFactory" as detailed in
// httpclient-contrib javadocs:
Protocol easyhttps = new Protocol("https", easy, 443);
Protocol.registerProtocol("https", easyhttps);
HttpClient client = new HttpClient();
GetMethod httpget = new GetMethod("https://localhost/");
client.executeMethod(httpget);
#2. I would actually recommend against using
EasySSLProtocolSocketFactory in production environments. Instead I
would use the Ping utility to download the server cert you want to trust
(cut & paste the base64 PEM output into a separate file), and then use
AuthSSLProtocolSocketFactory instead.
But if you do that, you will have to also deal with server cert expiry,
which can be annoying. Mind you, if you're using client certs, you
already have to deal with client cert expiry!
yours,
Julius
http://juliusdavies.ca/commons-ssl/
On Fri, 2006-06-10 at 03:56 -0700, James Vu wrote:
> Julius:
>
> thanks for your reply. Here is what I got from
> running java -jar commons-ssl.jar -t <host>:<port> -c
> <cert.jks> -p <password>
>
>
> java.lang.NoClassDefFoundError:
> org/bouncy/castle/jce/provider/JDKX509CertificateFactory
> Wrinting:
> =======================================================
> HEAD / HTTP/1.1
> Host: ...
>
> Reading:
> =======================================================
> HTTP/1.0 200 OK
> Server: Netscape Certificate Server: https
> Date: ....
>
> Server Certificate Chain for: [<host>:<port>]
> =======================================================
> cert3
> Valid: <effective date> - <ending date>
> s: CN=cert3,OU=Servers,...
> i: CN=DEV-TEST Authority, OU=Servers, ...
>
> -----BEGIN CERTIFICATE-----
> ..........
> -----END CERTIFICATE-----
> DEV-TEST Authority
> Valid: <effective date> - <ending date>
> s: CN=DEV-TEST Authority,OU=Servers,...
> i: self-signed
>
> -----BEGIN CERTIFICATE-----
> ..........
> -----END CERTIFICATE-----
>
>
>
> What can you make of this?
> Thanks,
> JT
>
> PS: I have been tracing this for a while, and I
> notice that there are 2 handshake (as you would
> probably know this already). The first handshake is
> the establishment of the ssl which the client was able
> to trust the server's certificate or chain (this
> worked). The second handshake is actually when we hit
> the require authenticate path (GET /lockdownpath
> HTTP/1.1). It is here that java did not either read
> the certificate request or not able to present the
> client
> certificate at all thus server refuse the entry. I
> look at the server logs and it states that the client
> did not present any certificate.
> --- Julius Davies <ju...@cucbc.com> wrote:
>
> > Hi, JT,
> >
> > #1. Not possible. The client cert will be
> > presented for all paths. This is because the socket
> > is established before "GET /path" or "POST /path" is
> > sent to the server. But I'm just being pedantic
> > here.
> >
> > [I think #1 can "appear" possible when servers use
> > "sslServer.setWantClientAuth( true )" instead of
> > "sslServer.setNeedClientAuth( true )." But the
> > client cert will still be presented for the very
> > first URL requested.]
> >
> > #5. Can you try the "ping" utility with
> > commons-ssl? After downloading "commons-ssl.jar",
> > please type:
> >
> > java -jar commons-ssl.jar
> >
> > Hopefully the instructions that print out from that
> > will be self-explanatory. Don't forget to include
> > the "-t" for "target". I always forget! And I
> > wrote it!
> >
> > If you get any bind exceptions, try specifying a
> > local port (such as 54321). There's one RHEL3
> > machine at my office that always complains about
> > that for some reason, not sure why.
> >
> > Can you show us the output the "Ping" utility gets
> > back from your server? I'm especially interested in
> > the HTTP headers you get back, or the SSL
> > exceptions.
> >
> >
> > yours,
> >
> > Julius
> >
> > http://juliusdavies.ca/commons-ssl/
> >
> > ps. please CC both httpclient-user and myself in
> > any replies. I don't seem to get httpclient emails
> > any more at work. I think we're having spam
> > filtering issues... probably going to start
> > subscribing from my gmail account instead... but
> > I'm lazy...
> >
> > ==================================================
> > All:
> >
> > 1. The server is authenticating only on a certain
> > path.
> > 2. I am using commons-ssl with httpclient
> > 3. I used the EasySSLProtocolSocketFactory
> > 4. I have set my KeyMaterial
> > 5. When I hit the required authenticated
> > path/location, it seems that the client is not
> > presenting the cert.
> > 6. I tested out using openssl and it works. I do
> > see
> > the client certificate request from the server and
> > the
> > client presents the correct cert.
> >
> > I am confused.
> >
> > Any help is much appreciated,
> > JT
> >
> >
> >
> >
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
--
Julius Davies
Senior Application Developer, Technology Services
Credit Union Central of British Columbia
http://www.cucbc.com/
Tel: 416-652-0183
Cel: 647-232-7571
1441 Creekside Drive
Vancouver, BC
Canada
V6J 4S7
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: How come my http-client is not presenting the certificate?
Posted by James Vu <jt...@yahoo.com>.
Julius:
thanks for your reply. Here is what I got from
running java -jar commons-ssl.jar -t <host>:<port> -c
<cert.jks> -p <password>
java.lang.NoClassDefFoundError:
org/bouncy/castle/jce/provider/JDKX509CertificateFactory
Wrinting:
=======================================================
HEAD / HTTP/1.1
Host: ...
Reading:
=======================================================
HTTP/1.0 200 OK
Server: Netscape Certificate Server: https
Date: ....
Server Certificate Chain for: [<host>:<port>]
=======================================================
cert3
Valid: <effective date> - <ending date>
s: CN=cert3,OU=Servers,...
i: CN=DEV-TEST Authority, OU=Servers, ...
-----BEGIN CERTIFICATE-----
..........
-----END CERTIFICATE-----
DEV-TEST Authority
Valid: <effective date> - <ending date>
s: CN=DEV-TEST Authority,OU=Servers,...
i: self-signed
-----BEGIN CERTIFICATE-----
..........
-----END CERTIFICATE-----
What can you make of this?
Thanks,
JT
PS: I have been tracing this for a while, and I
notice that there are 2 handshake (as you would
probably know this already). The first handshake is
the establishment of the ssl which the client was able
to trust the server's certificate or chain (this
worked). The second handshake is actually when we hit
the require authenticate path (GET /lockdownpath
HTTP/1.1). It is here that java did not either read
the certificate request or not able to present the
client
certificate at all thus server refuse the entry. I
look at the server logs and it states that the client
did not present any certificate.
--- Julius Davies <ju...@cucbc.com> wrote:
> Hi, JT,
>
> #1. Not possible. The client cert will be
> presented for all paths. This is because the socket
> is established before "GET /path" or "POST /path" is
> sent to the server. But I'm just being pedantic
> here.
>
> [I think #1 can "appear" possible when servers use
> "sslServer.setWantClientAuth( true )" instead of
> "sslServer.setNeedClientAuth( true )." But the
> client cert will still be presented for the very
> first URL requested.]
>
> #5. Can you try the "ping" utility with
> commons-ssl? After downloading "commons-ssl.jar",
> please type:
>
> java -jar commons-ssl.jar
>
> Hopefully the instructions that print out from that
> will be self-explanatory. Don't forget to include
> the "-t" for "target". I always forget! And I
> wrote it!
>
> If you get any bind exceptions, try specifying a
> local port (such as 54321). There's one RHEL3
> machine at my office that always complains about
> that for some reason, not sure why.
>
> Can you show us the output the "Ping" utility gets
> back from your server? I'm especially interested in
> the HTTP headers you get back, or the SSL
> exceptions.
>
>
> yours,
>
> Julius
>
> http://juliusdavies.ca/commons-ssl/
>
> ps. please CC both httpclient-user and myself in
> any replies. I don't seem to get httpclient emails
> any more at work. I think we're having spam
> filtering issues... probably going to start
> subscribing from my gmail account instead... but
> I'm lazy...
>
> ==================================================
> All:
>
> 1. The server is authenticating only on a certain
> path.
> 2. I am using commons-ssl with httpclient
> 3. I used the EasySSLProtocolSocketFactory
> 4. I have set my KeyMaterial
> 5. When I hit the required authenticated
> path/location, it seems that the client is not
> presenting the cert.
> 6. I tested out using openssl and it works. I do
> see
> the client certificate request from the server and
> the
> client presents the correct cert.
>
> I am confused.
>
> Any help is much appreciated,
> JT
>
>
>
>
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org