Hi Adrian, You'll probably want to browse the JSSE reference guide if you haven't already.
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html In the snippet of example code that follows, a keystore is loaded that contains the client certificate. Eventually a SSLContext is initialized using the KeyManager, and from the SSLContext comes an SSLSocketFactory. You can also load up a TrustManager from a keystore containing public keys for servers you trust and use that in the initialization of the SSLContext. You'll need to use the keytool executable that comes with the JDK to create and manage the keystores and certificates. There's documentation on keytool in the reference guide link above. In the example below since no TrustManager is specified the SSL context uses the public keys from the cacerts file in the JDK/JRE directory. If your server is not using a cert signed by one of the CAs in the cacerts keystore, you'll need either the public key of their CA or the public key for their self-signed cert. Let me know if you have anymore questions. EJJ SSLSocketFactory factory = null; try { SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = "passphrase".toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("testkeys"), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); factory = ctx.getSocketFactory(); } catch (Exception e) { throw new IOException(e.getMessage()); } --- Adrian Sutton <[EMAIL PROTECTED]> wrote: > Hi Eric, > I've just started running into this problem as well > and have been trying to > work out how to implement your suggestions with no > luck. The step I'm > having troubles with is the"and use the socket > factory instead of the calls > to SSLSocketFactory.getDefault()". > > My problem is that currently I don't have an > alternate SSLSocketFactory to > use - any hints on where one is available from that > doesn't barf on > untrusted certs or links to info on how to implement > one? It sounds like a > rather difficult task to me, but the client is > paying us lots of money so > I'm inclined to work on it. :) > > I haven't been able to turn up your original posts > on the commons-dev list > so if there is more useful information there, a > couple of key words to > search for would be useful in helping me find it. > > Thanks in advance, > > Adrian Sutton > Software Engineer > Ephox Corporation. > > ----- Original Message ----- > From: "Eric Johnson" <[EMAIL PROTECTED]> > To: "Commons HttpClient Project" > <[EMAIL PROTECTED]> > Sent: Thursday, February 20, 2003 4:38 AM > Subject: Re: Problem with SSL Certificate > > > > Hi, > > > > I brought this up on the commons dev thread and > forgot > > to post the idea here. > > > > You'll need to write your own implementation of > the > > SecureProtocolSocketFactory to replace the > > SSLProtocolSocketFactory implementation. Add a > > socketFactory argument to the constructor of this > > class and use the socket factory instead of the > calls > > to SSLSocketFactory.getDefault() used in > > SSLProtocolSocketFactory. > > > > I think this idea ought to replace > > SSLProtocolSocketFactory FWIW. I just hadn't had > time > > to send it in or type up the code for it yet. > > > > Eric Johnson (not the one that regularly > contributes, > > but one that might like to in the near future.) > > > > :) > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
