You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Mike Bowler <mb...@GargoyleSoftware.com> on 2002/08/01 17:41:47 UTC
[HttpClient] Dependancy on JSSE
At one point HttpClient had a "soft" dependancy on JSSE - it would use
JSSE if it was there but would continue working if it wasn't.
The latest builds now have a hard dependancy on JSSE - the code doesn't
run if you don't have JSSE in your classpath.
I don't recall seeing this one being discussed here so I'm not sure if
this was intentional or not.
Running HttpClient on a machine without JSSE will yield this:
java.lang.NoClassDefFoundError: javax/net/SocketFactory
at
org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:190)
at
org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:250)
--
Mike Bowler
Principal, Gargoyle Software Inc.
Voice: (416) 822-0973 | Email : mbowler@GargoyleSoftware.com
Fax : (416) 822-0975 | Website: http://www.GargoyleSoftware.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [HttpClient] Dependancy on JSSE
Posted by Mike Bowler <mb...@GargoyleSoftware.com>.
On Thu, 1 Aug 2002, Jeff Dever wrote:
> I guess the question is: how important is it for httpclient to run in ann
> environment without ssl available? (I'm a Canadian which has quite a bit of
> freedom with encryption and am not aware of what the export issues may be with
> ssl).
My understanding of the US export laws is that although JSSE can be
exported to most countries now, there are still some restrictions.
For myself it doesn't really matter (I'm also Canadian ;-) but I'm not
sure how my users will be affected. I'm the maintainer of HtmlUnit, a
unit testing framework that uses HttpClient internally.
I think it would be preferable to not have any runtime dependancies on
JSSE.
--
Mike Bowler
Principal, Gargoyle Software Inc.
Voice: (416) 822-0973 | Email : mbowler@GargoyleSoftware.com
Fax : (416) 822-0975 | Website: http://www.GargoyleSoftware.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [HttpClient] Dependancy on JSSE
Posted by Jeff Dever <js...@sympatico.ca>.
Patch applied.
Ortwin Glück wrote:
> Attached is a patch that isolates HttpClient from
> javax.net.SocketFactory. It looks a little weird but I can't think of a
> better way. Maybe some of you see a nicer alternative.
>
> Odi
>
> P.S. I am on vacation for the next two weeks. So I unsubscribed from the
> mailing lists for that time. Don't expect me to read any follow-ups to
> this posting. However you can contact me directly during the next hour
> (until 12.30 GMDST+1). Bye now.
>
> Jeff Dever wrote:
> > I'll have to agree that the ssl runtime dependency should be eliminated for the
> > reasons outlined by others on this thread.
> >
> > It looks like the dependency was caused by a commit at:
> > Tue Jul 23 14:38:31 2002 UTC (9 days, 2 hours ago)
> > In a patch contributed by Ortwin and committed by dIon.
> >
> > Both HttpClient 1.52 has a new SSLSocketFactory private datamember plus some
> > changes in HttpConnection and HttpMultiClient.
> >
> > dIon,
> > I know that you are working on the HttpClient/HttpMultiClient merger. See any
> > way to keep ssl objects out of the new top level class? Perhaps pushed down so
> > that only HttpConnection is ssl aware and can more easily be protected from
> > runtime dependencies?
> >
> > Ortwin,
> > this is your patch. Nobody wants to back it out as it represents excellent
> > functionality. Can you see how to isolate the runtime dependency so that ssl is
> > only required at compiletime?
>
> --
> _________________________________________________________________
> NOSE applied intelligence ag [perspectix-nose digital b.i]
> [www] http://www.nose.ch
> ortwin glück [email] ortwin.glueck@nose.ch
> hardturmstrasse 171 [office] +41-1-277 57 35
> 8005 zurich [fax] +41-1-277 57 12
> switzerland
>
> ------------------------------------------------------------------------
> Name: jsse.diff
> jsse.diff Type: Plain Text (text/plain)
> Encoding: 7bit
>
> Part 1.3Type: Plain Text (text/plain)
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [HttpClient] Dependancy on JSSE
Posted by Ortwin Glück <or...@nose.ch>.
Attached is a patch that isolates HttpClient from
javax.net.SocketFactory. It looks a little weird but I can't think of a
better way. Maybe some of you see a nicer alternative.
Odi
P.S. I am on vacation for the next two weeks. So I unsubscribed from the
mailing lists for that time. Don't expect me to read any follow-ups to
this posting. However you can contact me directly during the next hour
(until 12.30 GMDST+1). Bye now.
Jeff Dever wrote:
> I'll have to agree that the ssl runtime dependency should be eliminated for the
> reasons outlined by others on this thread.
>
> It looks like the dependency was caused by a commit at:
> Tue Jul 23 14:38:31 2002 UTC (9 days, 2 hours ago)
> In a patch contributed by Ortwin and committed by dIon.
>
> Both HttpClient 1.52 has a new SSLSocketFactory private datamember plus some
> changes in HttpConnection and HttpMultiClient.
>
> dIon,
> I know that you are working on the HttpClient/HttpMultiClient merger. See any
> way to keep ssl objects out of the new top level class? Perhaps pushed down so
> that only HttpConnection is ssl aware and can more easily be protected from
> runtime dependencies?
>
> Ortwin,
> this is your patch. Nobody wants to back it out as it represents excellent
> functionality. Can you see how to isolate the runtime dependency so that ssl is
> only required at compiletime?
--
_________________________________________________________________
NOSE applied intelligence ag [perspectix-nose digital b.i]
[www] http://www.nose.ch
ortwin glück [email] ortwin.glueck@nose.ch
hardturmstrasse 171 [office] +41-1-277 57 35
8005 zurich [fax] +41-1-277 57 12
switzerland
Re: [HttpClient] Dependancy on JSSE
Posted by Jeff Dever <js...@sympatico.ca>.
I'll have to agree that the ssl runtime dependency should be eliminated for the
reasons outlined by others on this thread.
It looks like the dependency was caused by a commit at:
Tue Jul 23 14:38:31 2002 UTC (9 days, 2 hours ago)
In a patch contributed by Ortwin and committed by dIon.
Both HttpClient 1.52 has a new SSLSocketFactory private datamember plus some
changes in HttpConnection and HttpMultiClient.
dIon,
I know that you are working on the HttpClient/HttpMultiClient merger. See any
way to keep ssl objects out of the new top level class? Perhaps pushed down so
that only HttpConnection is ssl aware and can more easily be protected from
runtime dependencies?
Ortwin,
this is your patch. Nobody wants to back it out as it represents excellent
functionality. Can you see how to isolate the runtime dependency so that ssl is
only required at compiletime?
>
> >
> > I did not realize that this was a side effect of some recent
> > secury proxy authentication patches. It used to be that ssl
> > was required to compile but could run without it. A lot of
> > us have been using jdk1.4 for our private builds lately,
> > (which has ssl built in) so it was easy not to notice.
>
>
> Having added the JSSE Certificate support to JMeter, I have
> dealt with all of those issues and compounded the problem by
> testing with more than just JSSE (IAIK has a JSSE compliant
> SSL library).
>
> Trust me, what you get for free in JDK 1.4+ costs an arm and
> a leg in JDKs prior to that.
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: [HttpClient] Dependancy on JSSE
Posted by Berin Loritsch <bl...@apache.org>.
> From: jsdever@www1.kc.aoindustries.com
> [mailto:jsdever@www1.kc.aoindustries.com] On Behalf Of Jeff Dever
>
> Mike,
>
> I did not realize that this was a side effect of some recent
> secury proxy authentication patches. It used to be that ssl
> was required to compile but could run without it. A lot of
> us have been using jdk1.4 for our private builds lately,
> (which has ssl built in) so it was easy not to notice.
>
> I guess the question is: how important is it for httpclient
> to run in ann environment without ssl available? (I'm a
> Canadian which has quite a bit of freedom with encryption and
> am not aware of what the export issues may be with ssl).
Some countries (usually those with history for harboring or
hiding terrorists) are not allowed to have really strong
encryption exported to them. Nor are they alowed to have
really powerful computers exported to them. (less of a
chance of them to be able to brute force break a session).
At least that is the reasoning behind it. Whether it is
rational or not is beside the point--it is a U.S. export
law that we have to abide by (because our servers are
located in the U.S.).
If you are not using JDK 1.4+ then you cannot assume the
existence of JSSE or any compatible library. There are more
issues than just export regulations. Keep in mind that JSSE
and friends are a real PITA to install. There are properties
you have to set in your JDK install, you have to put it in
${JAVA_HOME}/jre/lib/ext/, and if you need to support CA certs
from non standard or proprietary sources, it's a real PITA
to manage.
Having added the JSSE Certificate support to JMeter, I have
dealt with all of those issues and compounded the problem by
testing with more than just JSSE (IAIK has a JSSE compliant
SSL library).
Trust me, what you get for free in JDK 1.4+ costs an arm and
a leg in JDKs prior to that.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [HttpClient] Dependancy on JSSE
Posted by co...@covalent.net.
On Thu, 1 Aug 2002, Jeff Dever wrote:
> Mike,
>
> I did not realize that this was a side effect of some recent secury proxy
> authentication patches. It used to be that ssl was required to compile but
> could run without it. A lot of us have been using jdk1.4 for our private builds
> lately, (which has ssl built in) so it was easy not to notice.
>
> I guess the question is: how important is it for httpclient to run in ann
> environment without ssl available? (I'm a Canadian which has quite a bit of
> freedom with encryption and am not aware of what the export issues may be with
> ssl).
I think it is quite important to keep the SSL code separated.
Some people use PureTLS, some use openSSL via JNI ( both faster and more
flexible - especially with the certificates ) - and some don't use SSL at
all.
Costin
>
>
> Mike Bowler wrote:
>
> > At one point HttpClient had a "soft" dependancy on JSSE - it would use
> > JSSE if it was there but would continue working if it wasn't.
> >
> > The latest builds now have a hard dependancy on JSSE - the code doesn't
> > run if you don't have JSSE in your classpath.
> >
> > I don't recall seeing this one being discussed here so I'm not sure if
> > this was intentional or not.
> >
> > Running HttpClient on a machine without JSSE will yield this:
> >
> > java.lang.NoClassDefFoundError: javax/net/SocketFactory
> > at
> > org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:190)
> > at
> > org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:250)
> >
> > --
> > Mike Bowler
> > Principal, Gargoyle Software Inc.
> > Voice: (416) 822-0973 | Email : mbowler@GargoyleSoftware.com
> > Fax : (416) 822-0975 | Website: http://www.GargoyleSoftware.com
> >
> > --
> > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [HttpClient] Dependancy on JSSE
Posted by Jeff Dever <js...@sympatico.ca>.
Mike,
I did not realize that this was a side effect of some recent secury proxy
authentication patches. It used to be that ssl was required to compile but
could run without it. A lot of us have been using jdk1.4 for our private builds
lately, (which has ssl built in) so it was easy not to notice.
I guess the question is: how important is it for httpclient to run in ann
environment without ssl available? (I'm a Canadian which has quite a bit of
freedom with encryption and am not aware of what the export issues may be with
ssl).
Mike Bowler wrote:
> At one point HttpClient had a "soft" dependancy on JSSE - it would use
> JSSE if it was there but would continue working if it wasn't.
>
> The latest builds now have a hard dependancy on JSSE - the code doesn't
> run if you don't have JSSE in your classpath.
>
> I don't recall seeing this one being discussed here so I'm not sure if
> this was intentional or not.
>
> Running HttpClient on a machine without JSSE will yield this:
>
> java.lang.NoClassDefFoundError: javax/net/SocketFactory
> at
> org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:190)
> at
> org.apache.commons.httpclient.HttpClient.startSession(HttpClient.java:250)
>
> --
> Mike Bowler
> Principal, Gargoyle Software Inc.
> Voice: (416) 822-0973 | Email : mbowler@GargoyleSoftware.com
> Fax : (416) 822-0975 | Website: http://www.GargoyleSoftware.com
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>