I'm using HttpClient 3.1.
It appears that the use of an instance of AuthSSLProtocolSocketFactory in our
code (when setting a Host for an HttpClient instance) results in a choice of
SSLcontext that does not use a handshake compatible with a server requiring
SSLv3 or TLSv1 or above. Apparently, the handshake is extended as SSLv2. I see
from the AuthSSLProtocolSocketFactory code that in the createSSLContext method,
SSLContext is hard-coded as "SSL".
I've seen some email threads in this httpclient-users list that seems to
suggest that we should be using a custom SocketFactory.
I'm hoping to get some guidance... Currently I've simply copied the
AuthSSLProtocolSocketFactory class, given it a new name and changed code so
that a String value can be passed in as parameter to the constructor that will
designate an Algorithm Name other than the one, "SSL", that is hard-coded in
AuthSSLProtocolSocketFactory's private createSSLContext method. I don't see
with any confidence a better way to handle this. (Actually not quite sure this
does the trick because we haven't got a test platform set up yet that demands
SSLv3 or TSLv1 or above).
One post from back in 2008 suggested overriding the createSocket method
instead, but it only mentions overriding one of the 4 public createSocket
methods, and I'm not sure whether that's sufficient or the writer just left
omitted mentioning how to override the other 3 methods.
Anyone have advice, or some good examples of code that addresses this issue?
Here is a snippet/sample of how the HttpClient is being configured in our code
(try/catch blocks omitted for brevity):
************** SNIP *********************
HttpClient client = new HttpClient();
URL url = new URL(transportData.getHost() + "/" +
transportData.getServicePath());
AuthSSLProtocolSocketFactory factory =
new AuthSSLProtocolSocketFactory(new URL("file:" +
transportData.getKeyStoreFile()),
transportData.getKeyStorePassword(),
transportData.getKeyStoreType(),
new URL("file:" +
transportData.getTrustStoreFile()),
transportData.getTrustStorePassword(),
transportData.getTrustStoreType());
Protocol authhttps = new Protocol("https", factory, 443);
client.getHostConfiguration().setHost(url.getHost(), (url.getPort() > 0 ?
url.getPort() : url.getDefaultPort()),authhttps);
*******************************************
This code has been working just fine, but the servers that we target will no
longer be accepting less than SSLv3; this code seems to result in an instance
of HttpClient that extends SSLv2 handshakes, which will no longer be accepted.
Again, thanks in advance for any advice or suggestions or code samples.
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
