You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Oleg Kalnichevski <ol...@apache.org> on 2008/09/15 13:53:04 UTC
Re: Unable to perform client authentication: client certificates
not accessed from system certificate store by commons-httpclient
On Thu, 2008-09-11 at 16:20 +0100, Damian.Ryan@ubs.com wrote:
> Setup:
>
> commons-httpclient-3.1
> java 1.6.0_04
> java WebStart 6
> client OS: windows XP professional
> browser/certificate store: IE/Windows XP
>
> I am trying to use commons-httpclient-3.1 from a WebStart-deployed
> application to communicate through a web proxy over SSL with an HTTPS
> URL that requires client authentication with a certificate retrieved
> from the system certificate store, not a standalone one in the local
> file system (e.g. a PKCS#12 file).
>
> I can get this to work using a straight HttpsURLConnection, which
> successfully accesses the client certificate from IE's personal
> certificate store. The handshake succeeds, the connection is made and
> the request is served.
Damian
HttpClient is unable to access trusted certificates stored in the
personal certificate store. So, you have to manually configure the SSL
context and populate it with those certificates you application should
treat as trusted. For details please refer to "Customizing SSL in
HttpClient" and "Examples of SSL customization in HttpClient" sections
of the HttpClient SSL guide:
http://hc.apache.org/httpclient-3.x/sslguide.html
Hope this helps
Oleg
> I have a suspicion the solution may involve a custom
> SecureProtocolSocketFactory, but I have been unable to solve the problem
> myself.
>
> Can anyone give me any pointers?
>
> Thanks,
>
> Damian
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Unable to perform client authentication: client certificates not accessed from system certificate store by commons-httpclient
Posted by Da...@ubs.com.
I spent a fair amount of time looking at the SSL guide, and posted this
question because I didn't find anything helpful in them.
Never mind. I've abandoned httpclient for making mutually authenticated
connections and fallen back to using HttpsURLConnection.
Damian
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: 15 September 2008 12:53
To: HttpClient User Discussion
Subject: Re: Unable to perform client authentication: client
certificatesnot accessed from system certificate store by
commons-httpclient
On Thu, 2008-09-11 at 16:20 +0100, Damian.Ryan@ubs.com wrote:
> Setup:
>
> commons-httpclient-3.1
> java 1.6.0_04
> java WebStart 6
> client OS: windows XP professional
> browser/certificate store: IE/Windows XP
>
> I am trying to use commons-httpclient-3.1 from a WebStart-deployed
> application to communicate through a web proxy over SSL with an HTTPS
> URL that requires client authentication with a certificate retrieved
> from the system certificate store, not a standalone one in the local
> file system (e.g. a PKCS#12 file).
>
> I can get this to work using a straight HttpsURLConnection, which
> successfully accesses the client certificate from IE's personal
> certificate store. The handshake succeeds, the connection is made and
> the request is served.
Damian
HttpClient is unable to access trusted certificates stored in the
personal certificate store. So, you have to manually configure the SSL
context and populate it with those certificates you application should
treat as trusted. For details please refer to "Customizing SSL in
HttpClient" and "Examples of SSL customization in HttpClient" sections
of the HttpClient SSL guide:
http://hc.apache.org/httpclient-3.x/sslguide.html
Hope this helps
Oleg
> I have a suspicion the solution may involve a custom
> SecureProtocolSocketFactory, but I have been unable to solve the
problem
> myself.
>
> Can anyone give me any pointers?
>
> Thanks,
>
> Damian
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.
UBS Limited is a company registered in England & Wales under company
number 2035362, whose registered office is at 1 Finsbury Avenue,
London, EC2M 2PP, United Kingdom.
UBS AG (London Branch) is registered as a branch of a foreign company
under number BR004507, whose registered office is at
1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
UBS Clearing and Execution Services Limited is a company registered
in England & Wales under company number 03123037, whose registered
office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org