Re: Certificate Validation

Sun, 07 Dec 2008 07:33:08 -0800 

Partha Venkatavaradhan (pavenkat) wrote:
Is it mandatory that I call Protocol.registerProtocol(). 

No, it is not.


 Because I have the following lines in my code:

                        Protocol https = new Protocol("https", new 
StrictSSLProtocolSocketFactory(),  port);
                        //Protocol.registerProtocol("https", https);
                        client.getHostConfiguration().setHost(url.getHost(), 
url.getPort(), https);

The above code on Windows, doesn't perform the Hostname verification.  Only if 
I uncomment the call to registerProtocol, the hostname verification is called.  
But on my target linux (IBM JRE), this call to registerProtocol results in  
'Peer not verified' exception.



When using a custom HostConfiguration make sure to use relative request URIs

Oleg



Thanks in advance,
Partha

-----Original Message-----

From: Partha Venkatavaradhan (pavenkat) 
Sent: Wednesday, November 26, 2008 12:02 PM

To: HttpComponents Project
Subject: RE: Certificate Validation

Hi,

Looks like after I included the StrictSSLProtocolSocketFactory, now even a 
valid certificate like Thawte is declared as 'Peer not verfied'.  This however 
works on a Windows machine.  I am testing it on a Java ME edition and there it 
fails.  Any clues?

Thanks,
Partha


-----Original Message-----

From: Ortwin Glück [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 18, 2008 1:34 AM

To: HttpComponents Project
Subject: Re: Certificate Validation

Hi Partha,

Please have a look at
http://hc.apache.org/httpclient-3.x/sslguide.html
and especially then
StrictSSLProtocolSocketFactory which is referenced there.

Cheers,

Ortwin

Partha Venkatavaradhan (pavenkat) wrote:

Hi,


 


I am running a tomcat server that has  a valid certificate from Thwate.
In my HTTP client code I am letting the library handle the SSL
validation and I am not using any custom trust validation.  Now,
everything works fine but the problem is precisely this.  It works fine
even when if I specify the IP address of the server in the URL.  Since
the certificate is signed against my server's domain name, if I access
the URL with IP address I expect the library to throw exception as the
domain names doesn't match.  This is what precisely happens when I try
to access the server from a browser by typing the server's IP address
instead of the domain name.  I get a warning message stating that the
domain name and the URL that I entered doesn't match.


 


Is there any way I let the library explicitly validate the domain name
and throw me an exception in case it detects a mismatch?


 


Thanks,

Partha







---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to