On Sat, 2016-12-17 at 18:05 -0500, Qiang Cao wrote: > Hi Everyone, > > I'm running my client to talk to a service that is behind a proxy. The > channel between the client and the server proxy is established through SSL. > I wish to retain the certificates of the proxy. > > Client --- SSL socket (HTTPS) ---> SSL PROXY --- Plain socket (HTTP) ---> > Server > > The way I do it is to create a context for each request and grab the SSL > session info from the context after each request is executed. > > ...... > HttpClientContext clientContext = HttpClientContext.create(); > CloseableHttpResponse response = httpclient.execute(target, httppost, > clientContext); > ManagedHttpClientConnection conn = clientContext.getConnection( > ManagedHttpClientConnection.class); > > if(conn.isOpen()) { > SSLSession sslsession = conn.getSSLSession(); > X509Certificate[] peerCertChain = sslsession.getPeerCertificateChain(); > } > > The code works fine when there is no proxy and the server runs SSL. In that > case, I'm able to get the server certificates. However, with the SSL proxy > in the middle, the connection (ManagedHttpClientConnection) I got from the > context is always NOT open. With that, I sort of ran out of ideas to get > the SSL session for the request. Any thoughts? > > Thanks in advance! > > -Qiang
Hi Qiang Connection socket factory should be a better injection point for any custom SSL logic --- CloseableHttpClient client = HttpClientBuilder.create() .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.createSystemDefault()) { @Override public Socket createLayeredSocket( final Socket socket, final String target, final int port, final HttpContext context) throws IOException { final SSLSocket layeredSocket = (SSLSocket) super.createLayeredSocket(socket, target, port, context); SSLSession sslsession = layeredSocket.getSession(); X509Certificate[] peerCertChain = sslsession.getPeerCertificateChain(); return layeredSocket; } }) .build(); --- Hope this helps Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org