Here's the fast answer:
Protocol myhttps = new Protocol("https",new EasySSLProtocolSocketFactory(),
443);
Protocol.registerProtocol( "https", myhttps );
I'm cutting & pasting an email I wrote 2 days ago to httpclient-user.
You have several options:
1. Import self-signed cert into Java's "cacerts" file.
-------------------------------------------------------------------------
You can use "openssl s_client" or "not-yet-commons-ssl.jar Ping" to
download the self-signed certificate. Cut & paste the Base64 PEM text
into a separate file (be sure to include the ----BEGIN----- and
-----END-----). Try and import it into Java's "cacerts" file. It's
usually found here:
$JAVA_HOME/jre/lib/security/cacerts
Here's the command to import a Base64 PEM certificate into that file:
cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -import -file [file.pem] -keystore cacerts
The password is usually "changeit" (unless you changed it? ROTFL).
Personally, I don't really recommend this approach. But it's good to
know about. If you ever upgrade your JVM or switch to JRockit or IBM,
you're going to have to do this all over again.
2. Use EasySSLSockeyProtocolFactory
-------------------------------------------------------------------------
http://jakarta.apache.org/commons/httpclient/sslguide.html
This is a great approach for a dev environment, but it's usually not
appropriate for a production environment.
3. Use AuthSSLSockeyProtocolFactory
-------------------------------------------------------------------------
Set the client JKS to null. Set the trust JKS to a brand new JKS you
created only containing the server's self-signed certificate.
4. You can also try the ALPHA "not-yet-commons-ssl.jar"
-------------------------------------------------------------------------
I think this is an interesting approach:
http://juliusdavies.ca/commons-ssl/TrustExample.java.html
It's kind of a hybrid approach of #1 and #2. Essentially equivalent
to #3, but without the hassle of creating a JKS file. (Java Keystore
File).
-------------------------------------------------------------------------
Security note: downloading the certificate directly from the SSL
handshake using "openssl s_client" or "not-yet-commons-ssl.jar" is not
safe. In a dev environment it's okay. But in a production
environment it leaves you suspectible to the oft-cited
man-in-the-middle. It's safer than EasySSLSockeyProtocolFactory
because you only download the certificate one time, whereas
EasySSLSockeyProtocolFactory is always vulnerable, with every socket
created. But nonetheless you should try to acquire the self-signed
certificate through a different medium, maybe email (with
encryption?), fax, telephone, letter mail, usb-drive, etc. Or if the
self-signed cert is hosted on an properly signed "https" site, that's
also okay (e.g. https://trustedsite.com/path/to/self-signed.pem).
On 12/6/06, Arunkumar Dubagunta <[EMAIL PROTECTED]> wrote:
I need to make a call to an external URLs and post the data.
Anybody has a solution for this.
Any inputs will be greatly helpful. Thanks in advance.
Thanks,
Arun Kumar Dubagunta
> -----Original Message-----
> From: Roland Weber [SMTP:[EMAIL PROTECTED]
> Sent: Wednesday, December 06, 2006 1:48 AM
> To: HttpClient User Discussion
> Subject: Re: how to treat the unknown certificate as trusted one
>
> Hello,
>
> > Protocol myhttps = new Protocol("https",new
> > EasySSLProtocolSocketFactory(), 443);
> > httpClient.getHostConfiguration().setHost("xxx.xxx.com", 443,
> myhttps);
> > int responseCode = httpClient.executeMethod(postMethod);
>
> This will only work if you are using _relative_ URLs like
> "/" or "/index.html". Register your protocol as the default
> handler for https, as described in the SSL guide.
>
> hope that helps,
> Roland
>
> << File: SMIME.txt >>
-----------------------------------------
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or
entity to which it is addressed. If the reader of this e-mail is
not the intended recipient or his or her authorized agent, the
reader is hereby notified that any dissemination, distribution or
copying of this e-mail is prohibited. If you have received this
e-mail in error, please notify the sender by replying to this
message and delete this e-mail immediately.
--
yours,
Julius Davies
416-652-0183
http://juliusdavies.ca/
