Hi, William, The technique I showed in my previous email doesn't disable server-side auth - it just ignores the server's certificate... or in other words, trusts any certificate the server supplies.
The EasyX509TrustManager example in the "contrib" section of the HttpClient SVN repository is a good low-level example of this technique. See how it implements its own X509TrustManager: http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java But this X509TrustManager is very trusting! It trusts everything! [simplified... the real one does check expiry] ------------------------- public void checkServerTrusted(X509Certificate[] certificates,String authType) { // do nothing - so all server certificates are trusted! } ------------------------- yours, Julius On 3/10/07, William Cai <[EMAIL PROTECTED]> wrote:
You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since you choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt if there is such an option available. Please correct me if I'm wrong. Thanks, William -----Original Message----- From: Lalit Sahoo [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 2:36 AM To: HttpClient User Discussion Subject: RE: Certificate Based Client Authentication Hi Julius, Thanks for the help! Actually I am using Weblogic 8.1. I have configured weblogic to use two-way SSL. Do I need to do anything on server side to stop server authentication? Regards, Lalit ________________________________ From: Julius Davies [mailto:[EMAIL PROTECTED] Sent: Thu 3/8/2007 9:58 PM To: HttpClient User Discussion Subject: Re: Certificate Based Client Authentication Hi, Lalit, If you really, really, really are sure that you don't want to "authenticate" the server (not recommended!) you can use TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so: ------------------------------------------------------ char[] pwd = "secret".toCharArray(); KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd ); HttpSecureProtocol sf = new HttpSecureProtocol(); sf.setKeyMaterial( km ); // Trust ANY server! NOT RECOMMENDED! sf.setTrustMaterial( TrustMaterial.TRUST_ALL ); ProtocolSocketFactory psf = sf; Protocol specialHttps = new Protocol("https-special", psf, 443); Protocol.registerProtocol("https-special", specialHttps); // From this point on, HttpClient will use the client cert specified // for all URL's of the form "https-special://". ------------------------------------------------------ To do this just using the "HttpClient" contrib code is not possible. Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use $JAVA_HOME/jre/lib/security/cacerts as the "truststore": new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null ); What you're trying to do is essentially a hybrid of "EasySSLProtocolSocketFactory" (trusting any server), and "AuthSSLProtocolSocketFactory" (providing a client certificate). If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to code up the hybrid yourself using the "contrib" code to guide you. yours, Julius On 3/8/07, Lalit Sahoo <[EMAIL PROTECTED]> wrote: > Hi Julius, > > Thanks for the response! > > You have adviced me to do in this way: > > URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore > = new URL( "file:///path/to/truststore.jks" ); String key_pwd = > "secret"; > String trust_pwd = "changeit"; > > AuthSSLProtocolSocketFactory sf; > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore, > trust_pwd ); > > > Supoose I don't want to authenticate server then I should use as below: > > > AuthSSLProtocolSocketFactory sf; > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null ); > > But I am getting SSL handshake error. > > Could you please help? > > Regards, > Lalit > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
