Bindul,
On 2/12/18 10:17 PM, Bindul Bhowmik wrote:
> On Mon, Feb 12, 2018 at 6:48 PM, Murat Cetin <mceti...@gmail.com> wrote:
>> Hi,
>>
>> I am having issues with the keep-alive in HttpsUrlConnection in some legacy
>> code and considering the HttpClient as an alternative.
>>
>> My question is, essentially, I have a URLCursor class definition as follows:
>>
>> public URLCursor(String[] urls, ClientMetadata clientMetadata) {
>> this.urls = urls;
>> this.urlIdx = 0;
>> this.clientMetadata = clientMetadata;
>> // Custom trust manager to ignore certification
>> TrustManager[] customTrustManager = new TrustManager[]{
>> new X509TrustManager() {
>> public X509Certificate[] getAcceptedIssuers() {
>> return null;
>> }
>> public void checkClientTrusted(X509Certificate[]
>> certs, String authType) {
>> }
>> public void checkServerTrusted(X509Certificate[]
>> certs, String authType) {
>> }
>> }
>> };
>> // Custom host verifier to accept all hosts.
>> HostnameVerifier allHostsValid = new HostnameVerifier() {
>> public boolean verify(String hostname, SSLSession session) {
>> return true;
>> }
>> };
>>
>> // Setup custom SSL trust manager that ignores SSL certificate
>> validation =
>> try {
>> SSLContext sc = SSLContext.getInstance("SSL");
>> sc.init(null, customTrustManager, new
>> java.security.SecureRandom());
>>
>> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
>> HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
>> } catch (Exception e) {
>> System.err.println("Error: Failed to establish https with
>> no cert verification");
>> }
>> }
>>
>> I have a subsequent next() method that essentially creates a new URL, opens
>> a http connection using url.openConnection(), gets a BufferedReader from
>> the input stream and then reads lines out of this stream
>>
>> How can I achieve the same using HttpClient, especially the constructor
>> logic that ignores the certification?
>
> Murat,
>
>>From what I see, what you are doing is disabling hostname and SSL
> certificate verification. You can achieve both using a
> NoopHostnameVerifier and a TrustAllStrategy for certificates.
>
> You can initialize your HttpClient something like:
>
> SSLContext sslContext = SSLContexts.custom().loadTrustMaterial( new
> TrustAllStrategy() ).build();
> CloseableHttpClient httpClient =
> HttpClients.custom().setSSLHostnameVerifier(
> NoopHostnameVerifier.INSTANCE ).setSSLContext( sslContext ).build();
+1
Also, Murat, you should remove the static calls to HttpsURLConnection
because you don't want to override the whole JVM's TLS configuration.
That's a serious potential security problem given how you have
configured the SSLContext.
> Depending on your use case, unless you are running requests across
> multiple threads, you should be able to share the http client instance
> created for all your requests.
>
> Disclaimer: it is not a good idea to have any of those verifications
> turned off in production.
+1
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
