Hi Oleg,
Thanks for your reply. I started digging through the Apache async client
code and have come with a way to access the server certificate immediately
after the SSL handshake in the verify method of SSLSetupHandler, To achieve
this, I created my own MySSLLayeringStrategy class that
extends SSLLayeringStrategy as shows below :
********************************************************
class MySSLLayeringStrategy extends SSLLayeringStrategy{
private SSLContext sslContext;
public MySSLLayeringStrategy(SSLContext context){
super(context);
this.sslContext = context;
}
protected void initializeEngine(final SSLEngine engine) {
super.initializeEngine(engine);
}
protected void verifySession(final IOSession iosession,
final SSLSession sslsession) throws SSLException {
super.verifySession(iosession, sslsession);
}
public SSLIOSession layer(final IOSession iosession) {
SSLIOSession ssliosession = new SSLIOSession(iosession,
SSLMode.CLIENT, this.sslContext,
new MySSLSetupHandler());
iosession.setAttribute(SSLIOSession.SESSION_KEY, ssliosession);
return ssliosession;
}
class MySSLSetupHandler implements SSLSetupHandler {
public void initalize(
final SSLEngine sslengine) throws SSLException {
initializeEngine(sslengine);
}
public void verify(
final IOSession iosession,
final SSLSession sslsession) throws SSLException {
verifySession(iosession, sslsession);
// Now that basic hostname verification is done, perform
extra authorization based on peer DN
String peerDN = sslsession.getPeerPrincipal().getName();
if ( !authorizedPeer(peerDN) ){
throw new RuntimeException("Authorization failed");
}
}
}
}
********************************************************
Now, I am using MySSLLayeringStrategy to create AsyncScheme
********************************************************
AsyncScheme scheme = new AsyncScheme( "https", 443, new
MySSLLayeringStrategy(sslContext) );
********************************************************
This seems to be doing the job but the exception thrown in the verify
method causes the DefaultHttpAsyncClient instance to close abnormally as I
can see from the exception thrown:
********************************************************
.May 30, 2013 2:30:18 PM
org.apache.http.impl.nio.client.InternalIOReactorExceptionHandler handle
SEVERE: Fatal runtime error
java.lang.RuntimeException: Authorization failed
....
....
May 30, 2013 2:30:18 PM
org.apache.http.impl.nio.client.AbstractHttpAsyncClient doExecute
SEVERE: I/O reactor terminated abnormally
org.apache.http.nio.reactor.IOReactorException: I/O dispatch worker
terminated abnormally
at
org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:382)
at
org.apache.http.impl.nio.conn.PoolingClientAsyncConnectionManager.execute(PoolingClientAsyncConnectionManager.java:108)
....
....
Caused by: java.lang.RuntimeException: Authorization failed
....
....
********************************************************
Is my approach for accessing server certificate safe? If so, what is the
safe way of throwing exception from the verify method?
Thanks
Sachin
On Wed, May 15, 2013 at 9:21 AM, Oleg Kalnichevski <[email protected]> wrote:
> On Mon, 2013-05-13 at 22:10 -0400, Sachin Nikumbh wrote:
> > Hi Oleg,
> >
> > Thanks a lot for the response. I have one more question.
> >
> > In my client application, I need to provide extra authorization based on
> > the common name in the server certificate. I want to allow the
> > request-response exchange (I am sending a POST request) only after the
> > server passes this extra authorization step.
> >
> > Is using BasicAsyncResponseConsumer going be too late for me to access
> the
> > server certificate?
> >
> > I want the behavior similar to following sample code based
> > on HttpsURLConnection :
> >
> >
> ************************************************************************************************************
> > HttpsURLConnection urlConnection =
> > (HttpsURLConnection)madsUrl.openConnection();
> > urlConnection.setRequestMethod("POST");
> > ...
> > ...
> > urlConnection.connect(); //Establish connection for initial SSL handshake
> > String peerDN = urlConnection.getPeerPrincipal().getName();
> > if( isAuthorizedPeer(peerDN) ){
> > // Now it's safe to write request data
> > OutputStream oStream = urlConnection.getOutputStream();
> > ...
> > ...
> > }
> >
> ************************************************************************************************************
> >
> > Thanks once again
> > Sachin
> >
> >
>
> Hi Sachin
>
> There is currently no easy way of obtaining the SSL session details
> prior to issuing a request. Feel free to raise an improvement request in
> JIRA for this problem.
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
