[
https://issues.apache.org/jira/browse/HTTPCLIENT-1091?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13034713#comment-13034713
]
Oleg Kalnichevski commented on HTTPCLIENT-1091:
-----------------------------------------------
> 1) Can you please explain what do you mean by "can potentially be Java
> runtime specific"? I feel that I do not fully understand
> the difference between relying on
> HttpsURLConnection#getDefaultSSLSocketFactory() or on SSLContext...
Apparently HttpsURLConnection#getDefaultSSLSocketFactory() method does more
things (or does them differently) compared to the standard SSLContext
initialisation routine. I remember having bizarre issues with the behaviour of
this method in IBM JREs. Admittedly that was good 4 years back, though. This
may no longer be the case. The use of this method in SSLSocketFactory felt
wrong to me. That is all.
> 2) Do you mean that SSLContext ignores keystore-related system properties?
It does look so. Unless you have a different explanation why those properties
do not get picked up per default.
> Any chance that the strange behavior is related to the way that HttpClient
> uses SSLContext?
I certainly cannot rule that out. Feel free to review the code and let me know
if you find any improper use of JSSE API.
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
Cheers
Oleg
> Regression: 2 way authentication with SSL doesn't work in versions 4.1.x,
> used to work with 4.0.x
> -------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1091
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1091
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1
> Reporter: Yuri Manusov
> Attachments: ClientConnectionTest.java, clientKeyStore.p12,
> clientTrustStore.jks, openSSLCertsCreation.bat, server.xml, serverKeyStore.jks
>
>
> Tried to create an SSL tunnel with two way authentication, was able to do
> that with versions 4.0.1 and 4.0.3, but in versions 4.1 and 4.1.1 I get the
> exception:
> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:561)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
> at ClientConnectionTest.main(ClientConnectionTest.java:38)
> the creation of the SSL certificates was done using open ssl and java keytool
> (script will be attached in openSSLCertsCreation.bat).
> as a client I've used a simple java client (will attach
> ClientConnectionTest.java)
> as a server Tomcat was used, and configured to allow ssl communication with 2
> way authentication (clientAuth="true").
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
