You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Patrick Lightbody <pa...@lightbody.net> on 2011/08/22 23:24:22 UTC
SSL Problems
I have the code below, which results in this exception:
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
What's weird is that this code works for almost all URLs (try https://fidelity.com, for example) but a few do not work. We've narrowed it down to this simple change in Apache:
# Works
SSLProtocol -ALL +SSLv3 +TLSv1
# Doesn't work
SSLProtocol -ALL +SSLv3
Any idea how I could support these kinds of SSL setups while still supporting all other major sites (fidelity.com, twitter.com, etc). My goal is pretty much just to accept all SSL certs and my TrustingSSLSocketFactory gets me 99% there, but I'd like to be 100% there. Any tips?
Patrick
====================
String url = "https://www.razoo.com/login";
HttpParams params = new BasicHttpParams();
SchemeRegistry schemeRegistry = new SchemeRegistry();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory();
sslSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
schemeRegistry.register(new Scheme("http", new PlainSocketFactory(), 80));
DefaultHttpClient client = new DefaultHttpClient(new SingleClientConnManager(params, schemeRegistry), params);
HttpGet get = new HttpGet(url);
HttpResponse resp = client.execute(get);
System.out.println(resp.getStatusLine().getStatusCode());
====================
public class TrustingSSLSocketFactory extends SSLSocketFactory {
private static SSLContext sslContext;
public TrustingSSLSocketFactory() {
super(sslContext);
}
static {
try {
sslContext = SSLContext.getInstance("SSLv3");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("Algorithm not found! Critical SSL error!", e);
}
TrustManager easyTrustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(
X509Certificate[] chain,
String authType) throws CertificateException {
// Oh, I am easy!
}
@Override
public void checkServerTrusted(
X509Certificate[] chain,
String authType) throws CertificateException {
// Oh, I am easy!
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
try {
sslContext.init(null, new TrustManager[]{easyTrustManager}, null);
} catch (KeyManagementException e) {
throw new RuntimeException("Unexpected key management error", e);
}
}
@Override
public Socket createSocket() throws IOException {
SSLSocket socket = (SSLSocket) super.createSocket();
socket.setEnabledProtocols(new String[] {"SSLv3", "TLSv1"});
return socket;
}
}
====================
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: SSL Problems
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2011-08-22 at 14:24 -0700, Patrick Lightbody wrote:
> I have the code below, which results in this exception:
>
> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
> at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
> at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
> at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
> at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
> at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
> at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
>
> What's weird is that this code works for almost all URLs (try https://fidelity.com, for example) but a few do not work. We've narrowed it down to this simple change in Apache:
>
> # Works
> SSLProtocol -ALL +SSLv3 +TLSv1
>
> # Doesn't work
> SSLProtocol -ALL +SSLv3
>
> Any idea how I could support these kinds of SSL setups while still supporting all other major sites (fidelity.com, twitter.com, etc). My goal is pretty much just to accept all SSL certs and my TrustingSSLSocketFactory gets me 99% there, but I'd like to be 100% there. Any tips?
>
> Patrick
>
Hi Patrick
Run your application with the SSL debug mode on and see if there is
anything in the log that may indicate an issue leading the Oracle's
implementation of JSSE to consider the peer untrusted.
http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org