On Sat, Feb 18, 2017 at 2:06 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Fri, 2017-02-17 at 12:56 -0800, Gary Gregory wrote: > > Hi All, > > > > I cannot seem to get org.apache.http.conn.ssl.TrustSelfSignedStrategy > > to > > work with an SSL connection. > > > > I am creating the HttpClient (4.5.3, the latest) like so: > > > > final PoolingHttpClientConnectionManager cm = new > > PoolingHttpClientConnectionManager(); > > httpClient = > > HttpClientFactory.createHttpClientBuilder(trustStrategy, > > hostnameVerifier, > > getTimeoutMillis()) > > .setConnectionManager(cm) > > Gary, > > Your code sets an instance of PoolingHttpClientConnectionManager which > overrides all other connection level parameters including SSLContext > and HostnameVerifier. Either pass SSLContext and HostnameVerifier as > parameters to the connection manager or let HttpClientBuilder create an > instance of PoolingHttpClientConnectionManager for you. > Thanks Oleg, I realized what you point out late last night. I might update the Javadoc on the builder to make it more obvious. Gary > > Oleg > > > > .build(); > > > > Where HttpClientFactory is as below and trustStrategy=a new > > org.apache.http.conn.ssl.TrustSelfSignedStrategy, > > hostnameVerifier=null, > > getTimeoutMillis()=210,000: > > > > public class HttpClientFactory { > > > > public static CloseableHttpClient createHttpClient(final > > TrustStrategy > > trustStrategy, final HostnameVerifier hostnameVerifier, final int > > timeoutMillis) > > throws NoSuchAlgorithmException, KeyManagementException, > > KeyStoreException { > > return createHttpClientBuilder(trustStrategy, > > hostnameVerifier, > > timeoutMillis).build(); > > } > > > > public static HttpClientBuilder createHttpClientBuilder(final > > TrustStrategy trustStrategy, final HostnameVerifier hostnameVerifier, > > final > > int timeoutMillis) > > throws NoSuchAlgorithmException, KeyManagementException, > > KeyStoreException { > > final SSLContext sslContext = trustStrategy == null ? null : > > SSLContextBuilder.create().loadTrustMaterial(trustStrategy).build(); > > final SocketConfig socketConfig = timeoutMillis < 0 ? null : > > SocketConfig.custom().setSoTimeout(timeoutMillis).build(); > > final HttpClientBuilder builder = HttpClients.custom(); > > if (sslContext != null) { > > builder.setSSLContext(sslContext); > > } > > if (hostnameVerifier != null) { > > builder.setSSLHostnameVerifier(hostnameVerifier); > > } > > if (socketConfig != null) { > > builder.setDefaultSocketConfig(socketConfig); > > } > > return builder; > > } > > > > } > > > > I also tried hostnameVerifier=NoopHostnameVerifier.INSTANCE just for > > grins > > but that makes no difference, the failure is the same. If I had a > > breakpoint in TrustSelfSignedStrategy#isTrusted(), it never gets hit. > > > > The error: > > > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find > > valid certification path to requested target > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) > > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. > > java:1446) > > at > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav > > a:209) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) > > at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) > > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) > > at > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl. > > java:1332) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359 > > ) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343 > > ) > > at > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSock > > et(SSLConnectionSocketFactory.java:396) > > at > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSL > > ConnectionSocketFactory.java:355) > > at > > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect > > (DefaultHttpClientConnectionOperator.java:142) > > at > > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect( > > PoolingHttpClientConnectionManager.java:359) > > at > > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClie > > ntExec.java:381) > > at > > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec. > > java:237) > > at > > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java > > :185) > > at > > org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) > > at > > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java > > :111) > > at > > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttp > > Client.java:185) > > at > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttp > > Client.java:83) > > at > > com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc > > gHttpConnection.java:165) > > at > > com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc > > gHttpConnection.java:177) > > at > > com.seagullsw.appinterface.server.backend.cics.ScgByteBufferExecutor. > > execute(ScgByteBufferExecutor.java:121) > > at > > com.seagullsw.appinterface.server.backend.cics.CicsBackEnd.handleRequ > > estImpl(CicsBackEnd.java:232) > > at > > com.seagullsw.appinterface.server.backend.BasicBackEnd.handleRequest( > > BasicBackEnd.java:325) > > at > > com.seagullsw.appinterface.server.BasicInvocation.backEndDispatch(Bas > > icInvocation.java:372) > > at > > com.seagullsw.appinterface.server.BasicInvocation.invokeInner(BasicIn > > vocation.java:1146) > > at > > com.seagullsw.appinterface.server.BasicInvocation.invokeWithChecks(Ba > > sicInvocation.java:1191) > > at > > com.seagullsw.appinterface.server.BasicInvocation.invoke(BasicInvocat > > ion.java:1106) > > at > > com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte > > rfaceServer.java:722) > > at > > com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte > > rfaceServer.java:710) > > at > > com.seagullsw.appinterface.server.AisHelper.assertXmlRequest(AisHelpe > > r.java:59) > > at > > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest > > Case.callMirrorCommArea(AbstractScgBackEndTestCase.java:409) > > at > > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest > > Case.callMirrorCicsWriteQLimitCommArea(AbstractScgBackEndTestCase.jav > > a:379) > > at > > com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndStre > > ssTestCase.testMirrorCicsWriteQLimitCommAreaConsecutiveRequests10(Abs > > tractScgBackEndStressTestCase.java:1896) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > > java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > > sorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(Framework > > Method.java:50) > > at > > org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCal > > lable.java:12) > > at > > org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMe > > thod.java:47) > > at > > org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMet > > hod.java:17) > > at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55) > > at > > org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48) > > at org.junit.rules.RunRules.evaluate(RunRules.java:20) > > at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) > > at > > org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun > > ner.java:78) > > at > > org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun > > ner.java:57) > > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) > > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) > > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) > > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) > > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) > > at > > org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores. > > java:26) > > at > > org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.ja > > va:27) > > at > > org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48) > > at org.junit.rules.RunRules.evaluate(RunRules.java:20) > > at org.junit.runners.ParentRunner.run(ParentRunner.java:363) > > at > > org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4 > > TestReference.java:86) > > at > > org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution > > .java:38) > > at > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot > > eTestRunner.java:459) > > at > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot > > eTestRunner.java:678) > > at > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTest > > Runner.java:382) > > at > > org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTes > > tRunner.java:192) > > Caused by: sun.security.validator.ValidatorException: PKIX path > > building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable > > to find valid certification path to requested target > > at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > > at > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav > > a:292) > > at sun.security.validator.Validator.validate(Validator.java:260) > > at > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j > > ava:326) > > at > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm > > pl.java:231) > > at > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan > > agerImpl.java:126) > > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. > > java:1428) > > ... 63 more > > Caused by: > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > at > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert > > PathBuilder.java:196) > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > > at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > > ... 69 more > > > > Thoughts? > > > > Thank you, > > Gary > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459> JUnit in Action, Second Edition <https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021> Spring Batch in Action <https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory