Hi, Httpclient, My employer (Credit Union Central of British Columbia) has given me permission to donate some code to Apache. This code comes from my earlier attempt on this list to get HTTPClient to accept self-signed certificates.
Here's the code: http://juliusdavies.ca/commons-ssl/ The way it works looks like this: SSLClient client = new SSLClient(); client.addTrustMaterial( TrustMaterial.CACERTS ); client.addTrustMaterial( new TrustMaterial( "/path/to/cert.pem" ) ); SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 ); I put in a createSocket() that takes a timeout integer value to make your life easier. I've put in a "ping" utility I'm finding very handy. It writes "HEAD / HTTP/1.1" on a socket and then spits out any errors, including certificate chains (in Base64 PEM format). It's the default class in the manifest, so all you need to use it is run: java -jar commons-ssl.jar Here's what it spits out if you don't specify any options: ============================================================== Usage: java -jar commons-ssl.jar [options] Options: (*=required) * -t --target [hostname[:port]] default port=443 -b --bind [hostname[:port]] default port=0 "ANY" -c --client-cert [path to client certificate] *.jks or *.pfx -p --password [client cert password] Example: java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt` ============================================================== Here's what it spits out after a successful run: $ java -jar commons-ssl.jar -t www.cucbc.com Writing: ================================================================================ HEAD / HTTP/1.1 Host: www.cucbc.com Reading: ================================================================================ HTTP/1.1 200 OK Date: Thu, 04 May 2006 00:22:27 GMT Server: Apache/2.0.46 (Red Hat) Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=UTF-8 Server Certificate for: [www.cucbc.com/64.114.5.46:443] ================================================================================ s.0: CN=www.cucbc.com, O=Credit Union Central of British Columbia, L=Vancouver, ST=British Columbia, C=CA i.0: [EMAIL PROTECTED], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA -----BEGIN CERTIFICATE----- MIIDdjCCAt+gAwIBAgIDIhV6MA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBT ZXJ2ZXIgQ0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5j b20wHhcNMDUxMTEwMTkxMzE3WhcNMDYxMTEwMTkxMzE3WjCBhzELMAkGA1UEBhMC Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl cjExMC8GA1UEChMoQ3JlZGl0IFVuaW9uIENlbnRyYWwgb2YgQnJpdGlzaCBDb2x1 bWJpYTEWMBQGA1UEAxMNd3d3LmN1Y2JjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAr6PzKwELErUMueWqE7c+BDw9Cp2zNyivHmLWKpL/82xQCq+VG6Nx OFVpg7rLMMgkbabFD5F8bC63ALaURfxtggWBOCpaHhr78F25rolWPRfpaGtjXeMk Of3t/LeGImdljAqetHft51i6SE1EKxD8du9eTN7wNI7Sj8olgHY2MgkCAwEAAaOB pjCBozAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1 oDOgMYYvaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJD QS5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50 aGF3dGUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAl0DrUmw2 2+ua2oh1mpxcqOlHAhW3DJvHd2dXYrEYivd0cJ1mFJahfGDfbM2VuFkKgTgKF3Wu /fzH8AERAuYz80WGifvXk3U3CgxOT0Cuv2MzaNMUuNw76iZmNjD9Rfh3flA+HWZj kkpeS0oIu2QDgK1tN3TAfGWMaU9p50r5W9E= -----END CERTIFICATE----- It even prints out the certificates if the SSL handshake fails, so that can be very handy when you've got miscreant client certificates or typos in your truststores! If you would like to read the code, or try playing with it, please check out this URL: http://juliusdavies.ca/commons-ssl/ Unfortunately I haven't included a build script yet, but just going into the "org/apache/commons/ssl" directory and typing "javac *.java" does the trick. There are no dependencies at this time (for now I've stolen Base64.java from commons-codec!). What should I do to try and get a new "commons-ssl" project started? If this code is accepted, I would like to bring HTTPClient's "contrib-ssl" into the HTTPClient 4.0 branch, and depend on "commons-ssl". Sorry if I'm a little breathless. I'm pretty excited. yours, -- Julius Davies Senior Application Developer, Technology Services Credit Union Central of British Columbia http://www.cucbc.com/ Tel: 604-730-6385 Cel: 604-868-7571 Fax: 604-737-5910 1441 Creekside Drive Vancouver, BC Canada V6J 4S7 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
