You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Simon Wong <si...@gmail.com> on 2017/09/27 06:32:46 UTC
How to set multiple SSLContext for Httpclient
If I choose the TrustSelfSignedStrategy.INSTANCE as the TrustStrategy, the
constructed HttpClient could be used for both self-signed and valid
certificate. But it could not be used to trust expired certificate (throws
java.security.cert.CertificateExpiredException exeption).
I guess if the HttpClientBuilder allows me to construct multiple SSLContext
and the problem should be solved. But I don't know how to set mutlple
SSLContext.
Current workaround is implement the TrustStrategy and always return "true"
in isTrusted() method.
HttpClientBuilder clientBuilder = HttpClients.custom();
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial((KeyStore) null,
TrustSelfSignedStrategy.INSTANCE)
.build();
try (CloseableHttpClient httpclient = clientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.build()) {
// working (valid cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://sha256.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 1: " + bodyAsString);
}
// working (trusted self-sgined cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://self-signed.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 2: " + bodyAsString);
}
// throw java.security.cert.CertificateExpiredException here
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://expired.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 3: " + bodyAsString);
}
}
Re: How to set multiple SSLContext for Httpclient
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2017-09-27 at 14:32 +0800, Simon Wong wrote:
> If I choose the TrustSelfSignedStrategy.INSTANCE as the
> TrustStrategy, the
> constructed HttpClient could be used for both self-signed and valid
> certificate. But it could not be used to trust expired certificate
> (throws
> java.security.cert.CertificateExpiredException exeption).
>
> I guess if the HttpClientBuilder allows me to construct multiple
> SSLContext
> and the problem should be solved. But I don't know how to set mutlple
> SSLContext.
>
No, one cannot have multiple SSLContexts configured for the same
connection. One however could have a custom
LayeredConnectionSocketFactory that makes use of different SSLContext
instances depending on hostname or Socket properties.
Oleg
> Current workaround is implement the TrustStrategy and always return
> "true"
> in isTrusted() method.
>
>
> HttpClientBuilder clientBuilder = HttpClients.custom();
>
> SSLContext sslContext = SSLContexts.custom()
> .loadTrustMaterial((KeyStore) null,
> TrustSelfSignedStrategy.INSTANCE)
> .build();
>
> try (CloseableHttpClient httpclient = clientBuilder
> .setSSLContext(sslContext)
> .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE
> )
> .build()) {
>
> // working (valid cert)
> try (CloseableHttpResponse response =
> httpclient.execute(new
> HttpGet("https://sha256.badssl.com/"))) {
> String bodyAsString =
> EntityUtils.toString(response.getEntity());
> System.out.println("response 1: " + bodyAsString);
> }
>
> // working (trusted self-sgined cert)
> try (CloseableHttpResponse response =
> httpclient.execute(new
> HttpGet("https://self-signed.badssl.com/"))) {
> String bodyAsString =
> EntityUtils.toString(response.getEntity());
> System.out.println("response 2: " + bodyAsString);
> }
>
> // throw java.security.cert.CertificateExpiredException
> here
> try (CloseableHttpResponse response =
> httpclient.execute(new
> HttpGet("https://expired.badssl.com/"))) {
> String bodyAsString =
> EntityUtils.toString(response.getEntity());
> System.out.println("response 3: " + bodyAsString);
> }
> }
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org