Partha Venkatavaradhan (pavenkat) wrote:
Hi Oleg,
Thanks for your response. I was using relative path. I got the following
exception thrown with debug turned on. Its throwing exception on
session.getPeerCertificates() line, same exception if I use
getCertificateChain() method. Is there anything that I am missing here.
Partha,
This problem has nothing to do with the hostname verification. The
SSLPeerUnverifiedException was thrown because the identity of the server
could not be verified. Apparently the SSL context was not correctly set up.
Trust verification and hostname verification are not the same thing.
Oleg
**********************************************************************************************************
enter GetMethod(String) at [2008-12-08 11:07:04,893] (org.apache.commons.httpclient.methods.GetMethod)
Set parameter http.protocol.cookie-policy = rfc2109 at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
Set parameter http.method.retry-handler = [EMAIL PROTECTED] at [2008-12-08 11:07:04,896] (org.apache.commons.httpclient.params.DefaultHttpParams)
enter HttpClient.executeMethod(HttpMethod) at [2008-12-08 11:07:04,897] (org.apache.commons.httpclient.HttpClient)
enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) at [2008-12-08 11:07:04,898] (org.apache.commons.httpclient.HttpClient)
Attempt number 1 to process request at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpMethodDirector)
enter HttpConnection.open() at [2008-12-08 11:07:04,970] (org.apache.commons.httpclient.HttpConnection)
Open connection to 171.69.71.167:8443 at [2008-12-08 11:07:04,971] (org.apache.commons.httpclient.HttpConnection)
enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,095] (org.apache.commons.httpclient.HttpConnection)
Closing the connection. at [2008-12-08 11:07:06,096] (org.apache.commons.httpclient.HttpMethodDirector)
enter HttpConnection.close() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
enter HttpConnection.closeSockedAndStreams() at [2008-12-08 11:07:06,097] (org.apache.commons.httpclient.HttpConnection)
I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: peer not verified at [2008-12-08 11:07:06,099] (org.apache.commons.httpclient.HttpMethodDirector)
peer not verified at [2008-12-08 11:07:06,106] (org.apache.commons.httpclient.HttpMethodDirector)
javax.net.ssl.SSLPeerUnverifiedException: peer not verified
gnu.javax.net.ssl.provider.Session.getPeerCertificates (Unknown Source)
com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.verifyHostname
(Unknown Source)
com.cisco.embedded.server.connection.http.StrictSSLProtocolSocketFactory.createSocket
(Unknown Source)
org.apache.commons.httpclient.HttpConnection.open (Unknown Source)
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry (Unknown
Source)
org.apache.commons.httpclient.HttpMethodDirector.executeMethod (Unknown Source)
org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
org.apache.commons.httpclient.HttpClient.executeMethod (Unknown Source)
com.cisco.embedded.server.connection.http.HttpsConnection.doGet (Unknown Source)
**********************************************************************************************************
thanks,
Partha
-----Original Message-----
From: Oleg Kalnichevski [mailto:[EMAIL PROTECTED]
Sent: Sunday, December 07, 2008 7:32 AM
To: HttpComponents Project
Subject: Re: Certificate Validation
Partha Venkatavaradhan (pavenkat) wrote:
Is it mandatory that I call Protocol.registerProtocol().
No, it is not.
Because I have the following lines in my code:
Protocol https = new Protocol("https", new
StrictSSLProtocolSocketFactory(), port);
//Protocol.registerProtocol("https", https);
client.getHostConfiguration().setHost(url.getHost(),
url.getPort(), https);
The above code on Windows, doesn't perform the Hostname verification. Only if
I uncomment the call to registerProtocol, the hostname verification is called.
But on my target linux (IBM JRE), this call to registerProtocol results in
'Peer not verified' exception.
When using a custom HostConfiguration make sure to use relative request URIs
Oleg
Thanks in advance,
Partha
-----Original Message-----
From: Partha Venkatavaradhan (pavenkat)
Sent: Wednesday, November 26, 2008 12:02 PM
To: HttpComponents Project
Subject: RE: Certificate Validation
Hi,
Looks like after I included the StrictSSLProtocolSocketFactory, now even a
valid certificate like Thawte is declared as 'Peer not verfied'. This however
works on a Windows machine. I am testing it on a Java ME edition and there it
fails. Any clues?
Thanks,
Partha
-----Original Message-----
From: Ortwin Glück [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 18, 2008 1:34 AM
To: HttpComponents Project
Subject: Re: Certificate Validation
Hi Partha,
Please have a look at
http://hc.apache.org/httpclient-3.x/sslguide.html
and especially then
StrictSSLProtocolSocketFactory which is referenced there.
Cheers,
Ortwin
Partha Venkatavaradhan (pavenkat) wrote:
Hi,
I am running a tomcat server that has a valid certificate from Thwate.
In my HTTP client code I am letting the library handle the SSL
validation and I am not using any custom trust validation. Now,
everything works fine but the problem is precisely this. It works fine
even when if I specify the IP address of the server in the URL. Since
the certificate is signed against my server's domain name, if I access
the URL with IP address I expect the library to throw exception as the
domain names doesn't match. This is what precisely happens when I try
to access the server from a browser by typing the server's IP address
instead of the domain name. I get a warning message stating that the
domain name and the URL that I entered doesn't match.
Is there any way I let the library explicitly validate the domain name
and throw me an exception in case it detects a mismatch?
Thanks,
Partha
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
