Julius:
I will try this on thursday next week and I will post
the results for you.
Thank you very much for your help and hopefully it
will work,
JT
--- Julius Davies <[EMAIL PROTECTED]> wrote:
> Hi, James,
>
> Did you try the test below, where I analyzed the
> socket after the GET
> request had gone through?
>
> final SSLSocket[] socket = new SSLSocket[ 1 ];
>
> Inside the "SSLWrapperFactory" anonymous inner
> class, add this:
>
> socket[ 0 ] = s;
>
> After the GET response has come back through
> httpclient, take a look at
> the client certs yet again:
>
> Certificate[] certs = socket[ 0
> ].getSession().getLocalCertificates();
> if ( certs != null )
> {
> System.out.println( "client certs:" );
> for ( int i = 0; i < certs.length; i++ )
> {
> X509Certificate c = (X509Certificate) certs[ i
> ];
> System.out.println( Certificates.toString( c )
> );
> }
> }
> else
> {
> System.out.println( "client certs: null" );
> }
>
> For me that was showing that in the end httpclient
> did send the client
> cert, but perhaps it just didn't send it in time for
> the first request?
>
> With that in mind I have one idea:
>
> 1. Use a "MultiThreadedHttpConnectionManager"
> configured to only pool a
> single connection, and try that initial GET request
> against the
> "LOCKDOWN" path twice. That way hopefully the
> socket will be
> authenticated in time for the 2nd request.
>
> (Be sure to read off the full reply of the first
> request before sending
> the second one).
>
> MultiThreadedHttpConnectionManager connectionManager
> = new MultiThreadedHttpConnectionManager();
> HttpConnectionManagerParams params =
> connectionManager.getParams();
> params.setDefaultMaxConnectionsPerHost( 1 );
> params.setMaxTotalConnections( 1 );
> HttpClient client = new
> HttpClient(connectionManager);
>
> So do the GET or POST request you had in mind a
> first time to try and
> get the ssl handshake to happen. Then do your real
> GET or POST
> afterwards. (Or maybe just start off with a HEAD
> request the first
> time.)
>
> Since the ConnectionManager is only holding a single
> socket, hopefully
> that socket will stay in use (and not get shutdown),
> and become a
> special "authenticated" socket!
>
> yours,
>
> Julius
>
>
>
> On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote:
> > Julius:
> >
> > Thanks so much for your time. The server that I
> am
> > connected to is "Netscape CMS 4.5" so I could not
> find
> > where to configure the WANT vs the NEED flag.
> >
> > So from what you are saying is that there is not
> much
> > else I can do with HttpClient and commons-ssl? I
> know
> > that openssl worked since I have tested manually
> with
> > that, should I look at PureTLS (which is a Java
> > wrapper for openssl)?
> >
> > what is your advice? Where do I go from here?
> >
> > thanks again,
> > JT
> >
> > --- Julius Davies <[EMAIL PROTECTED]> wrote:
> >
> > > ps. If you can get your server to set itself
> into
> > > WANT-CLIENT-AUTH mode
> > > from the very beginning, things might work
> better.
> > > WANT-CLIENT-AUTH
> > > mode still allows sockets that don't have client
> > > certificates to be
> > > established.
> > >
> > > Only NEED-CLIENT-AUTH mode disallows socket
> creation
> > > in those cases.
> > >
> > > So if your server was setup with
> WANT-CLIENT-AUTH
> > > mode right from the
> > > beginning, httpclient would be able to send the
> > > client cert on all
> > > requests, and not have to worry about this
> situation
> > > where a client cert
> > > is asked for right in the middle of a request
> (after
> > > the GET or POST
> > > line has been sent!).
> > >
> > > But I would still like to see what it takes to
> get
> > > commons-ssl and
> > > httpclient to work flawlessly with the scenario
> > > you've identified.
> > >
> > >
> > > yours,
> > >
> > > Julius
> > >
> > >
> > > On Fri, 2006-06-10 at 13:09 -0700, Julius Davies
> > > wrote:
> > > > Hi, James,
> > > >
> > > > Wow! A person can call the following in the
> > > middle of a TCP/IP session:
> > > >
> > > > // This happens in the server:
> > > > // SSLSocket "s" came from an
> > > serverSocket.accept() call.
> > > > s.setNeedClientAuth( true );
> > > > s.getSession().invalidate();
> > > > s.startHandshake();
> > > >
> > > > I didn't know that.
> > > >
> > > > But commons-ssl didn't seem to mind at all. I
> > > just needed to alter the
> > > > test code a little to see that it worked. Add
> > > this at the top:
> > > >
> > > > final SSLSocket[] socket = new SSLSocket[ 1 ];
> > > >
> > > > Inside the "SSLWrapperFactory" anonymous inner
> > > class, add this:
> > > >
> > > > socket[ 0 ] = s;
> > > >
> > > > After everything is done, take a look at the
> > > client certs yet again:
> > > >
> > > > Certificate[] certs = socket[ 0
> > > ].getSession().getLocalCertificates();
> > > > if ( certs != null )
> > > > {
> > > > System.out.println( "client certs:" );
> > > > for ( int i = 0; i < certs.length; i++ )
> > > > {
> > > > X509Certificate c = (X509Certificate)
> certs[ i
> > > ];
> > > > System.out.println( Certificates.toString(
> c )
> > > );
> > > > }
> > > > }
> > > > else
> > > > {
> > > > System.out.println( "client certs: null" );
> > > > }
> > > >
> > > >
> > > > yours,
> > > >
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
