You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Milan Tomic <mi...@setcce.org> on 2005/04/20 16:49:44 UTC
SSL
Hi,
I've lost a day trying to make SSL connection using HTTP client
2.0.2. I have found this example and it works fine:
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
https://www.verisign.com/");
httpclient.executeMethod(httpget);
But this code doesn't work:
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
https://www.verisign.com/");
{
KeyStore ksTrustStore = KeyStore.getInstance("JKS");
FileInputStream fis = new
FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
ksTrustStore.load(fis, "changeit".toCharArray());
fis.close();
Protocol myhttps = new Protocol("https",
new
ManualSSLProtocolSocketFactory(ksTrustStore, null, ""),
443);
httpclient.getHostConfiguration().setHost("
<https://www.verisign.com/> https://www.verisign.com/", 443, myhttps);
}
httpclient.executeMethod(httpget);
Am I doing something wrong? The error message is:
java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
Thank you,
Milan
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
How about this?
HttpClient httpclient = new HttpClient();
KeyStore ksTrustStore = KeyStore.getInstance("JKS");
FileInputStream fis = new
FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
ksTrustStore.load(fis, "changeit".toCharArray());
fis.close();
Protocol myhttps = new Protocol("https",
new ManualSSLProtocolSocketFactory(ksTrustStore, null, ""),
443);
HostConfiguration verisign = new HostConfiguration();
hostconf.setHost("www.verisign.com", 443, myhttps);
// NOTE: Must be a relative URI
GetMethod httpget = new GetMethod("/");
httpclient.executeMethod(verisign, httpget);
Oleg
On Tue, Apr 26, 2005 at 02:04:54PM +0200, Milan Tomic wrote:
>
> I have again expirienced problems with SSL. :(
>
> I've been using this code:
>
> HttpClient httpclient = new HttpClient();
> GetMethod httpget = new GetMethod("https://www.verisign.com/");
>
> {
> KeyStore ksTrustStore = KeyStore.getInstance("JKS");
> FileInputStream fis = new
> FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
> ksTrustStore.load(fis, "changeit".toCharArray());
> fis.close();
>
> Protocol myhttps = new Protocol("https",
> new
> ManualSSLProtocolSocketFactory(ksTrustStore,
>
> null,
>
> ""),
> 443);
> Protocol.registerProtocol("https", myhttps);
>
> //httpclient.getHostConfiguration().setHost("https://www.verisign.com/",
> 443, myhttps);
> }
>
> httpclient.executeMethod(httpget);
>
> To avoid using this code (which also worked fine):
>
> System.setProperty("javax.net.ssl.keyStorePassword", "p");
> System.setProperty("javax.net.ssl.keyStore", "keyStore.jks");
> System.setProperty("javax.net.ssl.trustStorePassword", "p");
> System.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
>
> The problem is that I can't use neither peace of code, because they are
> not thread safe in my case. In my case, I have several cacerts.jks and
> each thread use different key/trust store pair. If I use
> System.setProperty() or (static method) Protocol.registerProtocol(),
> then each thread will use same key/trust store. :(
>
> Is there a hope?
>
> Thank you very very much.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
I have again expirienced problems with SSL. :(
I've been using this code:
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://www.verisign.com/");
{
KeyStore ksTrustStore = KeyStore.getInstance("JKS");
FileInputStream fis = new
FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
ksTrustStore.load(fis, "changeit".toCharArray());
fis.close();
Protocol myhttps = new Protocol("https",
new
ManualSSLProtocolSocketFactory(ksTrustStore,
null,
""),
443);
Protocol.registerProtocol("https", myhttps);
//httpclient.getHostConfiguration().setHost("https://www.verisign.com/",
443, myhttps);
}
httpclient.executeMethod(httpget);
To avoid using this code (which also worked fine):
System.setProperty("javax.net.ssl.keyStorePassword", "p");
System.setProperty("javax.net.ssl.keyStore", "keyStore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "p");
System.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
The problem is that I can't use neither peace of code, because they are
not thread safe in my case. In my case, I have several cacerts.jks and
each thread use different key/trust store pair. If I use
System.setProperty() or (static method) Protocol.registerProtocol(),
then each thread will use same key/trust store. :(
Is there a hope?
Thank you very very much.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, Apr 26, 2005 at 10:09:37AM +0200, Milan Tomic wrote:
>
> Yes, I've missed this line:
>
> Protocol.registerProtocol("https", myhttps);
>
> which is mandatory for Java 1.5 and optional for earlier versions.
>
This is something really new to me. I see no reason why this should be
required for Java 1.5. One can always override the default protocol
socket factory by explicitly passing a custom host configuration as a
parameter to the HttpClient#executeMethod. What is important to be
aware of is that in this case the target URI *must* be a relative one.
If an absolute URI is given HttpClient will target the host given in the
URI and as a result will pick up the default protocol socket factory
Hope this clarifies things a little
Oleg
> Thank you.
>
>
> > -----Original Message-----
> > From: Oleg Kalnichevski [mailto:olegk@apache.org]
> > Sent: Monday, April 25, 2005 3:49 PM
> > To: 'HttpClient User Discussion'
> > Subject: Re: SSL
> >
> >
> > Milan
> >
> > There's a catch to be aware of. You haven't registered your
> > custom protocol socket factory with the Protocol class, have
> > you? For details please take a look at the javadocs of this
> > sample socket factory
> >
> http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/
> src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSoc
> ketFactory.java
>
> Hope this helps
>
> Oleg
>
>
> On Mon, Apr 25, 2005 at 02:34:49PM +0200, Milan Tomic wrote:
> >
> > I have noticed that no matter which interface my class implements
> > (ProtocolSocketFactory or deprecated SecureProtocolSocketFactory)
> > createSocket() is never called. I'll try to download HttpClient
> > sources and debug.
> >
> > Best regards,
> > Milan
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > httpclient-user-help@jakarta.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
Yes, I've missed this line:
Protocol.registerProtocol("https", myhttps);
which is mandatory for Java 1.5 and optional for earlier versions.
Thank you.
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Monday, April 25, 2005 3:49 PM
> To: 'HttpClient User Discussion'
> Subject: Re: SSL
>
>
> Milan
>
> There's a catch to be aware of. You haven't registered your
> custom protocol socket factory with the Protocol class, have
> you? For details please take a look at the javadocs of this
> sample socket factory
>
http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/
src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSoc
ketFactory.java
Hope this helps
Oleg
On Mon, Apr 25, 2005 at 02:34:49PM +0200, Milan Tomic wrote:
>
> I have noticed that no matter which interface my class implements
> (ProtocolSocketFactory or deprecated SecureProtocolSocketFactory)
> createSocket() is never called. I'll try to download HttpClient
> sources and debug.
>
> Best regards,
> Milan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
Milan
There's a catch to be aware of. You haven't registered your custom
protocol socket factory with the Protocol class, have you? For details
please take a look at the javadocs of this sample socket factory
http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/AuthSSLProtocolSocketFactory.java
Hope this helps
Oleg
On Mon, Apr 25, 2005 at 02:34:49PM +0200, Milan Tomic wrote:
>
> I have noticed that no matter which interface my class implements
> (ProtocolSocketFactory or deprecated SecureProtocolSocketFactory)
> createSocket() is never called. I'll try to download HttpClient sources
> and debug.
>
> Best regards,
> Milan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
I have noticed that no matter which interface my class implements
(ProtocolSocketFactory or deprecated SecureProtocolSocketFactory)
createSocket() is never called. I'll try to download HttpClient sources
and debug.
Best regards,
Milan
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
Jakarta HttpClient leverages SSL through the standard JSSE interface. We
do not directly support ANY specific SSL implementations. There are some
samples in the contrib package, but we do encourage users to apply
necessary application specific customisations, which, of course, we will
not be supporting. At the end of the day, SSL/TLS protocols have nothing
to do with the HTTP protocol
Oleg
On Thu, Apr 21, 2005 at 11:36:46AM +0200, Milan Tomic wrote:
>
> Does Apache HttpClient team plan to add support for Java 1.5 and in
> which version (3.0?)? What should I do? I think I'll wait for updates.
>
> Thank you,
> Milan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
Does Apache HttpClient team plan to add support for Java 1.5 and in
which version (3.0?)? What should I do? I think I'll wait for updates.
Thank you,
Milan
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, Apr 21, 2005 at 11:15:01AM +0200, Milan Tomic wrote:
> Hi,
>
> I've just tried 3.0 version (before 2.0.2) and it doesn't work also.
>
> > _may_
> > be caused by the fact that the SSL context needs to be
> > initialized slightly differently when running in JRE 1.5
> > compared to JRE 1.4.2
>
> What do you mean by this?
>
It appears Sun had to drastically revamp SSL code (if not completely
rewrite it) in Java 1.5 in order to NIO-enable it. I _suspect_ the SSL
engine in Java 1.4.2 is not entirely backward compatible with that in
Java 1.5. Basically the same sequence of initialisation commands _may_
produce slightly different results in Java 1.4.2 and Java 1.5. Hope this
makes it a little clearer
Oleg
> Thank you very much,
> Milan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
Hi,
I've just tried 3.0 version (before 2.0.2) and it doesn't work also.
> _may_
> be caused by the fact that the SSL context needs to be
> initialized slightly differently when running in JRE 1.5
> compared to JRE 1.4.2
What do you mean by this?
Thank you very much,
Milan
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
Milan
I _personally_ think the SSL support in Java 1.5 is still a little
unstable. This said, the problem you are having _may_ be caused by
the fact that the SSL context needs to be initialized slightly
differently when running in JRE 1.5 compared to JRE 1.4.2
Oleg
On Thu, Apr 21, 2005 at 09:37:05AM +0200, Milan Tomic wrote:
>
> It works fine with Java 1.4.2 It works fine under Java 1.4.2, even if I
> use cacerts from Java 1.5.
>
> Does anyone else have troubles with Java 1.5?
>
> Best regards,
> Milan
>
>
> > -----Original Message-----
> > From: Oleg Kalnichevski [mailto:olegk@apache.org]
> > Sent: Wednesday, April 20, 2005 10:44 PM
> > To: HttpClient User Discussion
> > Subject: Re: SSL
> >
> >
> > Milan,
> >
> > It is difficult to say for sure without seeing the source
> > code of the ManualSSLProtocolSocketFactory class but the
> > exception appears to be Java 1.5 specific. Have you tried
> > running the same code with Java 1.4.2 (using CA certs shipped
> > with Java 1.4.2, of course)?
> >
> > Oleg
> >
> > On Wed, 2005-04-20 at 16:49 +0200, Milan Tomic wrote:
> > > Hi,
> > >
> > > I've lost a day trying to make SSL connection using HTTP
> > > client 2.0.2. I have found this example and it works fine:
> > >
> > > HttpClient httpclient = new HttpClient();
> > > GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> > > https://www.verisign.com/"); httpclient.executeMethod(httpget);
> > >
> > > But this code doesn't work:
> > >
> > > HttpClient httpclient = new HttpClient();
> > > GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> > > https://www.verisign.com/");
> > >
> > > {
> > > KeyStore ksTrustStore = KeyStore.getInstance("JKS");
> > > FileInputStream fis = new
> > > FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
> > > ksTrustStore.load(fis, "changeit".toCharArray());
> > > fis.close();
> > >
> > > Protocol myhttps = new Protocol("https",
> > > new
> > > ManualSSLProtocolSocketFactory(ksTrustStore, null, ""),
> > > 443);
> > > httpclient.getHostConfiguration().setHost("
> > > <https://www.verisign.com/> https://www.verisign.com/",
> > 443, myhttps);
> > > }
> > >
> > > httpclient.executeMethod(httpget);
> > >
> > > Am I doing something wrong? The error message is:
> > >
> > > java.lang.RuntimeException: Unexpected error:
> > > java.security.InvalidAlgorithmParameterException: the trustAnchors
> > > parameter must be non-empty
> > >
> > >
> > > Thank you,
> > > Milan
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > httpclient-user-help@jakarta.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: SSL
Posted by Milan Tomic <mi...@setcce.org>.
It works fine with Java 1.4.2 It works fine under Java 1.4.2, even if I
use cacerts from Java 1.5.
Does anyone else have troubles with Java 1.5?
Best regards,
Milan
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Wednesday, April 20, 2005 10:44 PM
> To: HttpClient User Discussion
> Subject: Re: SSL
>
>
> Milan,
>
> It is difficult to say for sure without seeing the source
> code of the ManualSSLProtocolSocketFactory class but the
> exception appears to be Java 1.5 specific. Have you tried
> running the same code with Java 1.4.2 (using CA certs shipped
> with Java 1.4.2, of course)?
>
> Oleg
>
> On Wed, 2005-04-20 at 16:49 +0200, Milan Tomic wrote:
> > Hi,
> >
> > I've lost a day trying to make SSL connection using HTTP
> > client 2.0.2. I have found this example and it works fine:
> >
> > HttpClient httpclient = new HttpClient();
> > GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> > https://www.verisign.com/"); httpclient.executeMethod(httpget);
> >
> > But this code doesn't work:
> >
> > HttpClient httpclient = new HttpClient();
> > GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> > https://www.verisign.com/");
> >
> > {
> > KeyStore ksTrustStore = KeyStore.getInstance("JKS");
> > FileInputStream fis = new
> > FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
> > ksTrustStore.load(fis, "changeit".toCharArray());
> > fis.close();
> >
> > Protocol myhttps = new Protocol("https",
> > new
> > ManualSSLProtocolSocketFactory(ksTrustStore, null, ""),
> > 443);
> > httpclient.getHostConfiguration().setHost("
> > <https://www.verisign.com/> https://www.verisign.com/",
> 443, myhttps);
> > }
> >
> > httpclient.executeMethod(httpget);
> >
> > Am I doing something wrong? The error message is:
> >
> > java.lang.RuntimeException: Unexpected error:
> > java.security.InvalidAlgorithmParameterException: the trustAnchors
> > parameter must be non-empty
> >
> >
> > Thank you,
> > Milan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: SSL
Posted by Oleg Kalnichevski <ol...@apache.org>.
Milan,
It is difficult to say for sure without seeing the source code of the
ManualSSLProtocolSocketFactory class but the exception appears to be
Java 1.5 specific. Have you tried running the same code with Java 1.4.2
(using CA certs shipped with Java 1.4.2, of course)?
Oleg
On Wed, 2005-04-20 at 16:49 +0200, Milan Tomic wrote:
> Hi,
>
> I've lost a day trying to make SSL connection using HTTP client
> 2.0.2. I have found this example and it works fine:
>
> HttpClient httpclient = new HttpClient();
> GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> https://www.verisign.com/");
> httpclient.executeMethod(httpget);
>
> But this code doesn't work:
>
> HttpClient httpclient = new HttpClient();
> GetMethod httpget = new GetMethod(" <https://www.verisign.com/>
> https://www.verisign.com/");
>
> {
> KeyStore ksTrustStore = KeyStore.getInstance("JKS");
> FileInputStream fis = new
> FileInputStream("C:/jdk1.5.0_01/jre/lib/security/cacerts.jks");
> ksTrustStore.load(fis, "changeit".toCharArray());
> fis.close();
>
> Protocol myhttps = new Protocol("https",
> new
> ManualSSLProtocolSocketFactory(ksTrustStore, null, ""),
> 443);
> httpclient.getHostConfiguration().setHost("
> <https://www.verisign.com/> https://www.verisign.com/", 443, myhttps);
> }
>
> httpclient.executeMethod(httpget);
>
> Am I doing something wrong? The error message is:
>
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
>
> Thank you,
> Milan
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org