Yep, I just verified that our server is using a self-signed cert. The
"Issued by" contains the server name. :-)
So, I will use EasySSL in test mode, and not use it in production mode.
Just to verify, when I hit Production, which has a Verisign cert, I
shouldn't have this issue, correct?
It would be very helpful to have a dialog like the browsers do that presents
the certificate when there is a problem, and let you choose whether to allow
it permanently, temporarily, or disallow it. Presumably, this would just
require the location of a keystore to use/create, and the user/pass for it.
Of course, then you would need to store the user/pass somewhere, encrypted.
From: "Julius Davies" <[EMAIL PROTECTED]>
Reply-To: "HttpClient User Discussion" <[email protected]>
To: "HttpClient User Discussion" <[email protected]>
Subject: Re: Certificateless SSL
Date: Fri, 1 Dec 2006 16:06:35 -0500
Hi, Jake,
Roland is right. Your reference to "Client Certificate" sent me on a
journey. :-)
Thanks for running the not-yet-common-ssl "Ping" test! Sorry to make
you edit out so much information from the cut & paste.
Anyway, you're exactly right. Your issue is that HttpClient is not
trusting that self-signed certificate. java.net.URL wouldn't trust
it, either. You have several options:
1. Import self-signed cert into Java's "cacerts" file.
-------------------------------------------------------------------------
You can use "openssl s_client" or "not-yet-commons-ssl.jar Ping" to
download the self-signed certificate. Cut & paste the Base64 PEM text
into a separate file (be sure to include the ----BEGIN----- and
-----END-----). Try and import it into Java's "cacerts" file. It's
usually found here:
$JAVA_HOME/jre/lib/security/cacerts
Here's the command to import a Base64 PEM certificate into that file:
cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -import -file [file.pem] -keystore cacerts
The password is usually "changeit" (unless you changed it? ROTFL).
Personally, I don't really recommend this approach. But it's good to
know about. If you ever upgrade your JVM or switch to JRockit or IBM,
you're going to have to do this all over again.
2. Use EasySSLSockeyProtocolFactory
-------------------------------------------------------------------------
http://jakarta.apache.org/commons/httpclient/sslguide.html
This is a great approach for a dev environment, but it's usually not
appropriate for a production environment.
3. Use AuthSSLSockeyProtocolFactory
-------------------------------------------------------------------------
Set the client JKS to null. Set the trust JKS to a brand new JKS you
created only containing the server's self-signed certificate.
4. You can also try the ALPHA "not-yet-commons-ssl.jar"
-------------------------------------------------------------------------
I think this is an interesting approach:
http://juliusdavies.ca/commons-ssl/TrustExample.java.html
It's kind of a hybrid approach of #1 and #2. Essentially equivalent
to #3, but without the hassle of creating a JKS file. (Java Keystore
File).
-------------------------------------------------------------------------
Security note: downloading the certificate directly from the SSL
handshake using "openssl s_client" or "not-yet-commons-ssl.jar" is not
safe. In a dev environment it's okay. But in a production
environment it leaves you suspectible to the oft-cited
man-in-the-middle. It's safer than EasySSLSockeyProtocolFactory
because you only download the certificate one time, whereas
EasySSLSockeyProtocolFactory is always vulnerable, with every socket
created. But nonetheless you should try to acquire the self-signed
certificate through a different medium, maybe email (with
encryption?), fax, telephone, letter mail, usb-drive, etc. Or if the
self-signed cert is hosted on an properly signed "https" site, that's
also okay (e.g. https://trustedsite.com/path/to/self-signed.pem).
yours,
Julius
<SNIP>
--
yours,
Julius Davies
416-652-0183
http://juliusdavies.ca/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Fixing up the home? Live Search can help
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmemailtaglinenov06&FORM=WLMTAG
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
