Julius: I just want to reemphasize that the server DOES NOT lock down the port. It only lock dow a certain path. So the server will not send a certificcate request until the client send the GET /whatever HTTP/1.1
Anyhow, I ran your code and I got the "client certs: null" message. thanks again, JT --- Julius Davies <[EMAIL PROTECTED]> wrote: > Hi, James, > > > I double checked that client certs are still working > with > "commons-ssl-0.3.0.jar". I used the code below. > > When I try connecting to an SSL server that doesn't > require client > certs, I get "client certs: null" (e.g. > www.cucbc.com:443). > > When I try connecting to a server that does require > client certs, they > show up. > > If I remove this line, then the socket can't be > established: > > // easy.setKeyMaterial( km ); > > But that's because the server I'm testing against > REQUIRES client certs, > rather than just merely WANTING client certs. > > Can you try the code below? I'm using the > "SSLWrapperFactory" interface > to look closely at the socket before it's returned > up to HttpClient. > > If you're still having problems, I'll try setting up > a proper > WANT-CLIENT-AUTH server to further test. For now > I'm being lazy and > just relying on a NEED-CLIENT-AUTH server I have > access to. > > > yours, > > Julius > > http://juliusdavies.ca/ > > > public static void main( String[] args ) throws > Exception > { > > EasySSLProtocolSocketFactory easy = new > EasySSLProtocolSocketFactory(); > SSLWrapperFactory w = new SSLWrapperFactory() > { > public SSLSocket wrap( SSLSocket s ) throws > IOException > { > s.getSession().getPeerCertificates(); > System.out.println( "wrap: " + s ); > Certificate[] certs = > s.getSession().getLocalCertificates(); > if ( certs != null ) > { > System.out.println( "client certs:" ); > for ( int i = 0; i < certs.length; i++ ) > { > X509Certificate c = (X509Certificate) certs[ > i ]; > System.out.println( Certificates.toString( c > ) ); > } > } > else > { > System.out.println( "client certs: null" ); > } > return s; > } > > public SSLServerSocket wrap( SSLServerSocket s ) > throws IOException > { > return s; > } > }; > > // These next three lines are where commons-ssl fits > in: > KeyMaterial km = new KeyMaterial( > "/path/to/cert.p12", "changeit".toCharArray() ); > easy.setSSLWrapperFactory( w ); > easy.setKeyMaterial( km ); > > // Back to usual "EasySSLProtocolSocketFactory" as > detailed in > // httpclient-contrib javadocs: > Protocol easyhttps = new Protocol( "https", easy, > 443 ); > Protocol.registerProtocol( "https", easyhttps ); > HttpClient client = new HttpClient(); > HeadMethod httpget = new HeadMethod( > "https://www.cucbc.com:443/"; ); > client.executeMethod( httpget ); > Header[] headers = httpget.getResponseHeaders(); > for ( int i = 0; i < headers.length; i++ ) > { > Header h = headers[ i ]; > System.out.println( h.getName() + ":" + > h.getValue() ); > } > > } > > > On Fri, 2006-06-10 at 08:09 -0700, James Vu wrote: > > Julius: > > > > Again thanks for your reply. I did use > > EasySSLProtocolSocketFactory. This is why the > client > > was able to make thru the first SSL handshake > because > > it is able to trust any CA. (As a side note, I > think > > there is sufficient samples/docs for using > > EasySSLProtocolSocketFactory.) > > > > I also tried the TrustSSLProtocolSocketFactory > with > > both the server certificate and the signer of the > > server certificate as the trust chain. Here it > also > > passed thru the first SSL handshake but did not > seem > > to present the client certificate during the > second > > handshake. > > > > thanks, > > JT > > > > Here is my test client code: > > > > mport org.apache.commons.httpclient.HttpClient; > > import > > org.apache.commons.httpclient.methods.GetMethod; > > import > > org.apache.commons.httpclient.protocol.Protocol; > > import org.apache.commons.ssl.HttpSecureProtocol; > > import org.apache.commons.ssl.TrustMaterial; > > import org.apache.commons.ssl.KeyMaterial; > > > > import > org.apache.commons.httpclient.contrib.ssl.*; > > > > import javax.net.ssl.SSLHandshakeException; > > import java.net.URL; > > > > public class SslClientExample { > > > > /* argument 0: host > > 1: port number */ > > public static void main( String[] args ) > > throws Exception > > { > > HttpSecureProtocol f = > > new > EasySSLProtocolSocketFactory(); > > > > //HttpSecureProtocol f = new > HttpSecureProtocol(); > > > > // here's where we start trusting server's CA: > > //f.addTrustMaterial(new TrustMaterial( > > // "my_cacerts.jks", > > // > "changeit".toCharArray())); > > f.setKeyMaterial (new > KeyMaterial("mycert.p12", > > > "changeit".toCharArray())); > > Protocol trustHttps = new Protocol("https", > > f, > > > Integer.parseInt(args[1])); > > Protocol.registerProtocol("https", > trustHttps); > > > > HttpClient client = new HttpClient(); > > GetMethod httpget = new GetMethod(args[0]); > > client.executeMethod(httpget); > > String s = httpget.getStatusLine().toString(); > > System.out.println( "HTTPClient: " + s ); > > System.out.println( > > > httpget.getResponseBodyAsString()); > > } > > } > > > > > > --- Julius Davies <[EMAIL PROTECTED]> wrote: > > > === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
