You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by phmccabe <ph...@googlemail.com> on 2009/06/02 13:20:48 UTC
Re: using SSL in a development environment
I recently had the same issue, having to deal with self signed certificates.
I am using Apache HTTP client 4 (Beta 2, I think), and the following
solutions seems to be working in my preliminary tests.
Please excuse the atrocious coding practices in the code below, I'm just
trying to illustrate how to do this.
public DefaultHttpClient useTrustingTrustManager(DefaultHttpClient
httpClient)
{
try
{
// First create a trust manager that won't care.
X509TrustManager trustManager = new X509TrustManager()
{
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException
{
// Don't do anything.
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException
{
// Don't do anything.
}
public X509Certificate[] getAcceptedIssuers()
{
// Don't do anything.
return null;
}
};
// Now put the trust manager into an SSLContext.
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(null, new TrustManager[] { trustManager }, null);
// Use the above SSLContext to create your socket factory
// (I found trying to extend the factory a bit difficult due to a
// call to createSocket with no arguments, a method which doesn't
// exist anywhere I can find, but hey-ho).
SSLSocketFactory sf = new SSLSocketFactory(sslcontext);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
// If you want a thread safe client, use the ThreadSafeConManager, but
// otherwise just grab the one from the current client, and get hold of
its
// schema registry. THIS IS THE KEY THING.
ClientConnectionManager ccm = httpClient.getConnectionManager();
SchemeRegistry schemeRegistry = ccm.getSchemeRegistry();
// Register our new socket factory with the typical SSL port and the
// correct protocol name.
schemeRegistry.register(new Scheme("https", sf, 443));
// Finally, apply the ClientConnectionManager to the Http Client
// or, as in this example, create a new one.
return new DefaultHttpClient(ccm, httpClient.getParams());
}
catch(Throwable t)
{
// AND NEVER EVER EVER DO THIS, IT IS LAZY AND ALMOST ALWAYS WRONG!
t.printStackTrace();
return null;
}
}
I hope this helps others out there looking for ways to deal with silly
servers.
Paul.
realflash wrote:
>
>
> Bill Higgins-2 wrote:
>>
>> Hi I'm working in a development environment where our servers use
>> self-signed certificates. I want to use HttpClient 4 to connect to these
>> servers and basically ignore any security errors that come back. I was
>> hoping I could use org.apache.http.conn.ssl.SSLSocketFactory to do this
>> by
>> using SSLSocketFactory's ALLOW_ALL_HOSTNAME_VERIFIER verifier, but it
>> failed
>> with a javax.net.ssl.SSLPeerUnverifiedException with message "peer not
>> authenticated".
>>
>> A colleague suggested that I need to create my own implementation of
>> LayeredSocketFactory, e.g. "TrustingSSLSocketFactory", but I was hoping
>> there was a way to get SSLSocketFactory to work for me, if I could
>> configure
>> it the right way. Here is the code I am currently using. Please let me
>> know
>> if there's something simple I can change to use SSLSocketFactory in my
>> development environment with servers with self-signed certs.
>>
>> PS - I'm using HttpCore 4.0 Beta 2 and HttpClient 4.0 Alpha 4.
>>
>
> For those who want to avoid the factory creation, Howard Abrams has
> produced a neat solution to this problem by inserting a new security
> provider that ignores cert problems. You just need to add two class files
> to your project and call one method and bingo. You may also need to call
> ALLOW_ALL_HOSTNAME_VERIFIER if the cert doesn't match the hostname.
>
> http://www.howardism.org/Technical/Java/SelfSignedCerts.html
>
--
View this message in context: http://www.nabble.com/using-SSL-in-a-development-environment-tp19001545p23830645.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org