You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Jose Escobar <eb...@gmail.com> on 2012/05/29 16:17:25 UTC
Use a unique instance of httpclient with some differents sets of
trust certificates
Hi there,
First of all let me say English is not my native language; please
excuse typing errors.
I'm using Httpclient 4.2 on a Spring project to send Http Post
requests. It's working correctly with a singleton DefaultHttpClient
bean managed by a PoolingClientConnectionManager. This
PoolingClientConnectionManager has two schemas, http default port 80
and https default port 443 with default jsse trust certificates and a
key to authenticate the client to remote servers. As I say it works
great but now I have to validate some remote servers with given
certificates and they are not signed by default jsse trust
certificates. I don't want to simply add this new certificates to the
trusted certificates keystore because I only want to use them against
specific Urls for security reasons (I don't know how are they managing
their private keys).
Is it possible to add these certificates to a singleton httpclient and
remove them after execute a HttpPost without affect others parallel
working threads that are using the same httpClient or may I should
create a new HttpClient instance with the apropiate trust
certificates?
I can send some code if you needed. Sorry for my english again...
Thanks in advance.
Jose E.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets of
trust certificates
Posted by Jose Escobar <eb...@gmail.com>.
Thank you very much for your answers! You have help me a lot.
2012/6/1 Oleg Kalnichevski <ol...@apache.org>:
> On Thu, 2012-05-31 at 11:28 +0200, Jose Escobar wrote:
>> I have investigated the custom socket factory but I don't find the way
>> to use it with a dynamically expandable list of certificates (I can
>> get new certificates for specific Urls at runtime). Nearest
>> aproximation I found was Embby's answer at
>> http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
>> but doesn't fit to my requirements at all.
>>
>> My solution, change the context for each request if needed, fits my
>> requirements and apparently worked until you say it could fail. I'm
>> going to investigate more in a custom socket factory solution, however
>> could you suggest me what should I override on a custom socket factory
>> that let me read the url of a socket request and change trust
>> certificates (getting from a database for example) based on the
>> hostname of the target server.
>>
>>
>> Thank you very much!
>>
>> Jose E.
>>
>
> Jose
>
> You solution is perfectly valid for your particular application context.
> What i was trying to say was that this approach might not be applicable
> to all cases and should not be used per default.
>
> Hope this makes my position somewhat clearer.
>
> Oleg
>
>> 2012/5/30 Oleg Kalnichevski <ol...@apache.org>:
>> > On Wed, 2012-05-30 at 14:02 +0200, Jose Escobar wrote:
>> >> Hi,
>> >>
>> >> Finally I found a solution.
>> >> I create a new SchemeRegistry on each request thread that need
>> >> specific trust and key material and I add it as a SCHEME_REGISTRY
>> >> attribute to a Context variable(each thread maintains its own
>> >> dedicated instance of HttpContext). Then I use the singleton
>> >> httpClient and that new context to execute the request. Using this I
>> >> can use a custom SchemeRegistry for each request with a singleton
>> >> httpclient bean.
>> >>
>> >> BUT I found that SCHEME_REGISTRY context attribute is not working
>> >> properly in httpclient execute method (httpClient.execute(httpPost,
>> >> context);) I dig into httpclient code to discover that this attribute
>> >> is not readed. I isolate the problem to a single class,
>> >> org.apache.http.impl.conn.DefaultClientConnectionOperator. The method
>> >> openConnection gets default schemeRegistry instead of look first at
>> >> context, so I write some code to fix this and it works great now.
>> >>
>> >> BEFORE:
>> >>
>> >> public void openConnection(
>> >> final OperatedClientConnection conn,
>> >> final HttpHost target,
>> >> final InetAddress local,
>> >> final HttpContext context,
>> >> final HttpParams params) throws IOException {
>> >> if (conn == null) {
>> >> throw new IllegalArgumentException("Connection may not be null");
>> >> }
>> >> if (target == null) {
>> >> throw new IllegalArgumentException("Target host may not be null");
>> >> }
>> >> if (params == null) {
>> >> throw new IllegalArgumentException("Parameters may not be null");
>> >> }
>> >> if (conn.isOpen()) {
>> >> throw new IllegalStateException("Connection must not be open");
>> >> }
>> >>
>> >> Scheme schm = schemeRegistry.getScheme(target.getSchemeName());
>> >> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
>> >> .
>> >> .
>> >> .
>> >>
>> >> AFTER:
>> >>
>> >> public void openConnection(
>> >> final OperatedClientConnection conn,
>> >> final HttpHost target,
>> >> final InetAddress local,
>> >> final HttpContext context,
>> >> final HttpParams params) throws IOException {
>> >> if (conn == null) {
>> >> throw new IllegalArgumentException("Connection may not be null");
>> >> }
>> >> if (target == null) {
>> >> throw new IllegalArgumentException("Target host may not be null");
>> >> }
>> >> if (params == null) {
>> >> throw new IllegalArgumentException("Parameters may not be null");
>> >> }
>> >> if (conn.isOpen()) {
>> >> throw new IllegalStateException("Connection must not be open");
>> >> }
>> >> //Changes here!
>> >> Scheme schm;
>> >> if ((context != null) &&
>> >> (context.getAttribute(ClientContext.SCHEME_REGISTRY) != null)) {
>> >> schm = ((SchemeRegistry)context.getAttribute(ClientContext.SCHEME_REGISTRY)).getScheme(target.getSchemeName());
>> >> }
>> >> else {
>> >> schm = schemeRegistry.getScheme(target.getSchemeName());
>> >> }
>> >>
>> >> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
>> >> .
>> >> .
>> >> .
>> >>
>> >>
>> >> I can send a patch if you find it correct, for me it works.
>> >>
>> >
>> > You see, the problem is that if sockets can be created by arbitrary
>> > socket factories HTTP connections bound to those sockets can have
>> > context specific state the connection manager is not aware of. So, the
>> > connection manager can end up leasing those connections to another
>> > execution thread with a completely different security / user context.
>> >
>> > Why did you choose to not create a custom socket factory?
>> >
>> > Oleg
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets
of trust certificates
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2012-05-31 at 11:28 +0200, Jose Escobar wrote:
> I have investigated the custom socket factory but I don't find the way
> to use it with a dynamically expandable list of certificates (I can
> get new certificates for specific Urls at runtime). Nearest
> aproximation I found was Embby's answer at
> http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
> but doesn't fit to my requirements at all.
>
> My solution, change the context for each request if needed, fits my
> requirements and apparently worked until you say it could fail. I'm
> going to investigate more in a custom socket factory solution, however
> could you suggest me what should I override on a custom socket factory
> that let me read the url of a socket request and change trust
> certificates (getting from a database for example) based on the
> hostname of the target server.
>
>
> Thank you very much!
>
> Jose E.
>
Jose
You solution is perfectly valid for your particular application context.
What i was trying to say was that this approach might not be applicable
to all cases and should not be used per default.
Hope this makes my position somewhat clearer.
Oleg
> 2012/5/30 Oleg Kalnichevski <ol...@apache.org>:
> > On Wed, 2012-05-30 at 14:02 +0200, Jose Escobar wrote:
> >> Hi,
> >>
> >> Finally I found a solution.
> >> I create a new SchemeRegistry on each request thread that need
> >> specific trust and key material and I add it as a SCHEME_REGISTRY
> >> attribute to a Context variable(each thread maintains its own
> >> dedicated instance of HttpContext). Then I use the singleton
> >> httpClient and that new context to execute the request. Using this I
> >> can use a custom SchemeRegistry for each request with a singleton
> >> httpclient bean.
> >>
> >> BUT I found that SCHEME_REGISTRY context attribute is not working
> >> properly in httpclient execute method (httpClient.execute(httpPost,
> >> context);) I dig into httpclient code to discover that this attribute
> >> is not readed. I isolate the problem to a single class,
> >> org.apache.http.impl.conn.DefaultClientConnectionOperator. The method
> >> openConnection gets default schemeRegistry instead of look first at
> >> context, so I write some code to fix this and it works great now.
> >>
> >> BEFORE:
> >>
> >> public void openConnection(
> >> final OperatedClientConnection conn,
> >> final HttpHost target,
> >> final InetAddress local,
> >> final HttpContext context,
> >> final HttpParams params) throws IOException {
> >> if (conn == null) {
> >> throw new IllegalArgumentException("Connection may not be null");
> >> }
> >> if (target == null) {
> >> throw new IllegalArgumentException("Target host may not be null");
> >> }
> >> if (params == null) {
> >> throw new IllegalArgumentException("Parameters may not be null");
> >> }
> >> if (conn.isOpen()) {
> >> throw new IllegalStateException("Connection must not be open");
> >> }
> >>
> >> Scheme schm = schemeRegistry.getScheme(target.getSchemeName());
> >> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
> >> .
> >> .
> >> .
> >>
> >> AFTER:
> >>
> >> public void openConnection(
> >> final OperatedClientConnection conn,
> >> final HttpHost target,
> >> final InetAddress local,
> >> final HttpContext context,
> >> final HttpParams params) throws IOException {
> >> if (conn == null) {
> >> throw new IllegalArgumentException("Connection may not be null");
> >> }
> >> if (target == null) {
> >> throw new IllegalArgumentException("Target host may not be null");
> >> }
> >> if (params == null) {
> >> throw new IllegalArgumentException("Parameters may not be null");
> >> }
> >> if (conn.isOpen()) {
> >> throw new IllegalStateException("Connection must not be open");
> >> }
> >> //Changes here!
> >> Scheme schm;
> >> if ((context != null) &&
> >> (context.getAttribute(ClientContext.SCHEME_REGISTRY) != null)) {
> >> schm = ((SchemeRegistry)context.getAttribute(ClientContext.SCHEME_REGISTRY)).getScheme(target.getSchemeName());
> >> }
> >> else {
> >> schm = schemeRegistry.getScheme(target.getSchemeName());
> >> }
> >>
> >> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
> >> .
> >> .
> >> .
> >>
> >>
> >> I can send a patch if you find it correct, for me it works.
> >>
> >
> > You see, the problem is that if sockets can be created by arbitrary
> > socket factories HTTP connections bound to those sockets can have
> > context specific state the connection manager is not aware of. So, the
> > connection manager can end up leasing those connections to another
> > execution thread with a completely different security / user context.
> >
> > Why did you choose to not create a custom socket factory?
> >
> > Oleg
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets of
trust certificates
Posted by Jose Escobar <eb...@gmail.com>.
I have investigated the custom socket factory but I don't find the way
to use it with a dynamically expandable list of certificates (I can
get new certificates for specific Urls at runtime). Nearest
aproximation I found was Embby's answer at
http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
but doesn't fit to my requirements at all.
My solution, change the context for each request if needed, fits my
requirements and apparently worked until you say it could fail. I'm
going to investigate more in a custom socket factory solution, however
could you suggest me what should I override on a custom socket factory
that let me read the url of a socket request and change trust
certificates (getting from a database for example) based on the
hostname of the target server.
Thank you very much!
Jose E.
2012/5/30 Oleg Kalnichevski <ol...@apache.org>:
> On Wed, 2012-05-30 at 14:02 +0200, Jose Escobar wrote:
>> Hi,
>>
>> Finally I found a solution.
>> I create a new SchemeRegistry on each request thread that need
>> specific trust and key material and I add it as a SCHEME_REGISTRY
>> attribute to a Context variable(each thread maintains its own
>> dedicated instance of HttpContext). Then I use the singleton
>> httpClient and that new context to execute the request. Using this I
>> can use a custom SchemeRegistry for each request with a singleton
>> httpclient bean.
>>
>> BUT I found that SCHEME_REGISTRY context attribute is not working
>> properly in httpclient execute method (httpClient.execute(httpPost,
>> context);) I dig into httpclient code to discover that this attribute
>> is not readed. I isolate the problem to a single class,
>> org.apache.http.impl.conn.DefaultClientConnectionOperator. The method
>> openConnection gets default schemeRegistry instead of look first at
>> context, so I write some code to fix this and it works great now.
>>
>> BEFORE:
>>
>> public void openConnection(
>> final OperatedClientConnection conn,
>> final HttpHost target,
>> final InetAddress local,
>> final HttpContext context,
>> final HttpParams params) throws IOException {
>> if (conn == null) {
>> throw new IllegalArgumentException("Connection may not be null");
>> }
>> if (target == null) {
>> throw new IllegalArgumentException("Target host may not be null");
>> }
>> if (params == null) {
>> throw new IllegalArgumentException("Parameters may not be null");
>> }
>> if (conn.isOpen()) {
>> throw new IllegalStateException("Connection must not be open");
>> }
>>
>> Scheme schm = schemeRegistry.getScheme(target.getSchemeName());
>> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
>> .
>> .
>> .
>>
>> AFTER:
>>
>> public void openConnection(
>> final OperatedClientConnection conn,
>> final HttpHost target,
>> final InetAddress local,
>> final HttpContext context,
>> final HttpParams params) throws IOException {
>> if (conn == null) {
>> throw new IllegalArgumentException("Connection may not be null");
>> }
>> if (target == null) {
>> throw new IllegalArgumentException("Target host may not be null");
>> }
>> if (params == null) {
>> throw new IllegalArgumentException("Parameters may not be null");
>> }
>> if (conn.isOpen()) {
>> throw new IllegalStateException("Connection must not be open");
>> }
>> //Changes here!
>> Scheme schm;
>> if ((context != null) &&
>> (context.getAttribute(ClientContext.SCHEME_REGISTRY) != null)) {
>> schm = ((SchemeRegistry)context.getAttribute(ClientContext.SCHEME_REGISTRY)).getScheme(target.getSchemeName());
>> }
>> else {
>> schm = schemeRegistry.getScheme(target.getSchemeName());
>> }
>>
>> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
>> .
>> .
>> .
>>
>>
>> I can send a patch if you find it correct, for me it works.
>>
>
> You see, the problem is that if sockets can be created by arbitrary
> socket factories HTTP connections bound to those sockets can have
> context specific state the connection manager is not aware of. So, the
> connection manager can end up leasing those connections to another
> execution thread with a completely different security / user context.
>
> Why did you choose to not create a custom socket factory?
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets
of trust certificates
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2012-05-30 at 14:02 +0200, Jose Escobar wrote:
> Hi,
>
> Finally I found a solution.
> I create a new SchemeRegistry on each request thread that need
> specific trust and key material and I add it as a SCHEME_REGISTRY
> attribute to a Context variable(each thread maintains its own
> dedicated instance of HttpContext). Then I use the singleton
> httpClient and that new context to execute the request. Using this I
> can use a custom SchemeRegistry for each request with a singleton
> httpclient bean.
>
> BUT I found that SCHEME_REGISTRY context attribute is not working
> properly in httpclient execute method (httpClient.execute(httpPost,
> context);) I dig into httpclient code to discover that this attribute
> is not readed. I isolate the problem to a single class,
> org.apache.http.impl.conn.DefaultClientConnectionOperator. The method
> openConnection gets default schemeRegistry instead of look first at
> context, so I write some code to fix this and it works great now.
>
> BEFORE:
>
> public void openConnection(
> final OperatedClientConnection conn,
> final HttpHost target,
> final InetAddress local,
> final HttpContext context,
> final HttpParams params) throws IOException {
> if (conn == null) {
> throw new IllegalArgumentException("Connection may not be null");
> }
> if (target == null) {
> throw new IllegalArgumentException("Target host may not be null");
> }
> if (params == null) {
> throw new IllegalArgumentException("Parameters may not be null");
> }
> if (conn.isOpen()) {
> throw new IllegalStateException("Connection must not be open");
> }
>
> Scheme schm = schemeRegistry.getScheme(target.getSchemeName());
> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
> .
> .
> .
>
> AFTER:
>
> public void openConnection(
> final OperatedClientConnection conn,
> final HttpHost target,
> final InetAddress local,
> final HttpContext context,
> final HttpParams params) throws IOException {
> if (conn == null) {
> throw new IllegalArgumentException("Connection may not be null");
> }
> if (target == null) {
> throw new IllegalArgumentException("Target host may not be null");
> }
> if (params == null) {
> throw new IllegalArgumentException("Parameters may not be null");
> }
> if (conn.isOpen()) {
> throw new IllegalStateException("Connection must not be open");
> }
> //Changes here!
> Scheme schm;
> if ((context != null) &&
> (context.getAttribute(ClientContext.SCHEME_REGISTRY) != null)) {
> schm = ((SchemeRegistry)context.getAttribute(ClientContext.SCHEME_REGISTRY)).getScheme(target.getSchemeName());
> }
> else {
> schm = schemeRegistry.getScheme(target.getSchemeName());
> }
>
> SchemeSocketFactory sf = schm.getSchemeSocketFactory();
> .
> .
> .
>
>
> I can send a patch if you find it correct, for me it works.
>
You see, the problem is that if sockets can be created by arbitrary
socket factories HTTP connections bound to those sockets can have
context specific state the connection manager is not aware of. So, the
connection manager can end up leasing those connections to another
execution thread with a completely different security / user context.
Why did you choose to not create a custom socket factory?
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets of
trust certificates
Posted by Jose Escobar <eb...@gmail.com>.
Hi,
Finally I found a solution.
I create a new SchemeRegistry on each request thread that need
specific trust and key material and I add it as a SCHEME_REGISTRY
attribute to a Context variable(each thread maintains its own
dedicated instance of HttpContext). Then I use the singleton
httpClient and that new context to execute the request. Using this I
can use a custom SchemeRegistry for each request with a singleton
httpclient bean.
BUT I found that SCHEME_REGISTRY context attribute is not working
properly in httpclient execute method (httpClient.execute(httpPost,
context);) I dig into httpclient code to discover that this attribute
is not readed. I isolate the problem to a single class,
org.apache.http.impl.conn.DefaultClientConnectionOperator. The method
openConnection gets default schemeRegistry instead of look first at
context, so I write some code to fix this and it works great now.
BEFORE:
public void openConnection(
final OperatedClientConnection conn,
final HttpHost target,
final InetAddress local,
final HttpContext context,
final HttpParams params) throws IOException {
if (conn == null) {
throw new IllegalArgumentException("Connection may not be null");
}
if (target == null) {
throw new IllegalArgumentException("Target host may not be null");
}
if (params == null) {
throw new IllegalArgumentException("Parameters may not be null");
}
if (conn.isOpen()) {
throw new IllegalStateException("Connection must not be open");
}
Scheme schm = schemeRegistry.getScheme(target.getSchemeName());
SchemeSocketFactory sf = schm.getSchemeSocketFactory();
.
.
.
AFTER:
public void openConnection(
final OperatedClientConnection conn,
final HttpHost target,
final InetAddress local,
final HttpContext context,
final HttpParams params) throws IOException {
if (conn == null) {
throw new IllegalArgumentException("Connection may not be null");
}
if (target == null) {
throw new IllegalArgumentException("Target host may not be null");
}
if (params == null) {
throw new IllegalArgumentException("Parameters may not be null");
}
if (conn.isOpen()) {
throw new IllegalStateException("Connection must not be open");
}
//Changes here!
Scheme schm;
if ((context != null) &&
(context.getAttribute(ClientContext.SCHEME_REGISTRY) != null)) {
schm = ((SchemeRegistry)context.getAttribute(ClientContext.SCHEME_REGISTRY)).getScheme(target.getSchemeName());
}
else {
schm = schemeRegistry.getScheme(target.getSchemeName());
}
SchemeSocketFactory sf = schm.getSchemeSocketFactory();
.
.
.
I can send a patch if you find it correct, for me it works.
2012/5/29 Oleg Kalnichevski <ol...@apache.org>:
> On Tue, 2012-05-29 at 16:17 +0200, Jose Escobar wrote:
>> Hi there,
>>
>> First of all let me say English is not my native language; please
>> excuse typing errors.
>>
>> I'm using Httpclient 4.2 on a Spring project to send Http Post
>> requests. It's working correctly with a singleton DefaultHttpClient
>> bean managed by a PoolingClientConnectionManager. This
>> PoolingClientConnectionManager has two schemas, http default port 80
>> and https default port 443 with default jsse trust certificates and a
>> key to authenticate the client to remote servers. As I say it works
>> great but now I have to validate some remote servers with given
>> certificates and they are not signed by default jsse trust
>> certificates. I don't want to simply add this new certificates to the
>> trusted certificates keystore because I only want to use them against
>> specific Urls for security reasons (I don't know how are they managing
>> their private keys).
>>
>> Is it possible to add these certificates to a singleton httpclient and
>> remove them after execute a HttpPost without affect others parallel
>> working threads that are using the same httpClient or may I should
>> create a new HttpClient instance with the apropiate trust
>> certificates?
>>
>>
>
> Possibly a better option might be a custom socket factory that can
> create SSL connections with different SSL contexts using different trust
> and key material based on the hostname of the target server.
>
> Hope this helps
>
> Oleg
>
>>
>> I can send some code if you needed. Sorry for my english again...
>>
>> Thanks in advance.
>>
>> Jose E.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Use a unique instance of httpclient with some differents sets
of trust certificates
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-05-29 at 16:17 +0200, Jose Escobar wrote:
> Hi there,
>
> First of all let me say English is not my native language; please
> excuse typing errors.
>
> I'm using Httpclient 4.2 on a Spring project to send Http Post
> requests. It's working correctly with a singleton DefaultHttpClient
> bean managed by a PoolingClientConnectionManager. This
> PoolingClientConnectionManager has two schemas, http default port 80
> and https default port 443 with default jsse trust certificates and a
> key to authenticate the client to remote servers. As I say it works
> great but now I have to validate some remote servers with given
> certificates and they are not signed by default jsse trust
> certificates. I don't want to simply add this new certificates to the
> trusted certificates keystore because I only want to use them against
> specific Urls for security reasons (I don't know how are they managing
> their private keys).
>
> Is it possible to add these certificates to a singleton httpclient and
> remove them after execute a HttpPost without affect others parallel
> working threads that are using the same httpClient or may I should
> create a new HttpClient instance with the apropiate trust
> certificates?
>
>
Possibly a better option might be a custom socket factory that can
create SSL connections with different SSL contexts using different trust
and key material based on the hostname of the target server.
Hope this helps
Oleg
>
> I can send some code if you needed. Sorry for my english again...
>
> Thanks in advance.
>
> Jose E.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org