Thanks very much. This makes sense and helps a lot.
- Bill
On Fri, Aug 15, 2008 at 2:23 PM, Oleg Kalnichevski <[EMAIL PROTECTED]> wrote:
> On Fri, 2008-08-15 at 12:21 -0400, Bill Higgins wrote:
> > Hi I'm working in a development environment where our servers use
> > self-signed certificates. I want to use HttpClient 4 to connect to these
> > servers and basically ignore any security errors that come back. I was
> > hoping I could use org.apache.http.conn.ssl.SSLSocketFactory to do this
> by
> > using SSLSocketFactory's ALLOW_ALL_HOSTNAME_VERIFIER verifier, but it
> failed
> > with a javax.net.ssl.SSLPeerUnverifiedException with message "peer not
> > authenticated".
> >
> > A colleague suggested that I need to create my own implementation of
> > LayeredSocketFactory, e.g. "TrustingSSLSocketFactory", but I was hoping
> > there was a way to get SSLSocketFactory to work for me, if I could
> configure
> > it the right way.
>
> Bill,
>
> Please note the host name verification and SSL certificate trust are not
> the same thing. The host name verification is an additional safeguard
> one may want to execute in order to make sure the CN (common name) of
> the certificate matches that of the target host.
>
> If you want your application to trust some specific servers you should
> create a trust store containing certificates of those servers and
> initialize the SSLSocketFactory accordingly. If you want to trust _any_
> self-signed certificate (something we do not want to encourage) there is
> no way around creating a custom socket factory.
>
> Hope this helps.
>
> Oleg
>
>
> > Here is the code I am currently using. Please let me know
> > if there's something simple I can change to use SSLSocketFactory in my
> > development environment with servers with self-signed certs.
> >
> > PS - I'm using HttpCore 4.0 Beta 2 and HttpClient 4.0 Alpha 4.
> >
> > public class ProxyHandler implements HttpRequestHandler {
> >
> > private final HttpClient httpClient;
> > private final HttpHost target;
> >
> > public ProxyHandler() {
> > HttpParams params = new BasicHttpParams();
> > HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
> > HttpProtocolParams.setContentCharset(params, "UTF-8");
> > HttpProtocolParams.setUseExpectContinue(params, true);
> >
> > SchemeRegistry schemeRegistry = new SchemeRegistry();
> >
> > try {
> > SSLSocketFactory socketFactory = new SSLSocketFactory(null);
> >
> >
> socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
> > schemeRegistry.register(new Scheme("https", socketFactory,
> > 9443));
> > } catch (Exception e) {
> > throw new RuntimeException(e);
> > }
> >
> > ClientConnectionManager ccm = new
> > ThreadSafeClientConnManager(params, schemeRegistry);
> > httpClient = new DefaultHttpClient(ccm, params);
> >
> > target = new HttpHost("localhost", 9443, "https");
> > }
> >
> > public void handle(HttpRequest request, HttpResponse response,
> > HttpContext context) throws HttpException, IOException {
> >
> > HttpRequest proxyRequest = new BasicHttpRequest("GET",
> > "/my/resource", HttpVersion.HTTP_1_1);
> >
> > HttpEntity proxyEntity = null;
> > BasicHttpEntity outEntity = new BasicHttpEntity();
> > try {
> > HttpResponse proxyResponse = httpClient.execute(target,
> > proxyRequest);
> > proxyEntity = proxyResponse.getEntity();
> > outEntity.setContent(proxyEntity.getContent());
> > } finally {
> > if(proxyEntity != null) {
> > proxyEntity.consumeContent();
> > }
> > }
> > }
> > }
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
- Bill
