[
https://issues.apache.org/jira/browse/HTTPCLIENT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13530266#comment-13530266
]
Karl Wright edited comment on HTTPCLIENT-1275 at 12/12/12 8:03 PM:
-------------------------------------------------------------------
Hi Oleg,
If the purpose of AllowAllHostnameVerifier is not to prevent verification of
certs, then this ticket can be closed.
In the code I am using I have a "trust everything" trust store already - that's
not the issue. In fact I suspect that the tester did not build the code
correctly, which was a major part of the problem. The only thing that is still
a bit of a question still is whether or not you can actually get an exception
from SSLSession.getPeerCertificates(), and under what circumstances.
was (Author: [email protected]):
Hi Oleg,
If the purpose of AllowAllHostnameVerifier is not to verify certs, then this
ticket can be closed.
In the code I am using I have a "trust everything" trust store already - that's
not the issue. In fact I suspect that the tester did not build the code
correctly, which was a major part of the problem. The only thing that is still
a bit of a question still is whether or not you can actually get an exception
from SSLSession.getPeerCertificates(), and under what circumstances.
> AllowAllHostnameVerifier does not prevent SSL handshake verification errors
> ---------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1275
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1275
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpConn
> Affects Versions: 4.2.2
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: 4.2.3
>
>
> In debugging unverified SSL connections for the ManifoldCF RSS connector, I
> discovered that even with AllowAllHostnameVerifier(), which supposedly shuts
> down SSL hostname verification, the SSLSession method getPeerCertificates()
> can cause an exception anyway, before the overridden method is called,
> because peer authentication has not yet occurred.
> See CONNECTORS-579 for details, and for the exact trace.
> I'm also looking for suggestions as to how to properly fix this. One
> possibility would be to catch the exception and pass null for the peer certs
> to the verify method. Since that loses the exception, though, it might be
> better to change the method signature of the overridden verify() method and
> include an Exception object, which could get rethrown if needed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
