SSL Problems with HttpClient

Sat, 02 Jun 2007 15:51:11 -0700 

Hello all,

for those who have SSL problems with certificates from e.g. cacert.org:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

I used the code from:
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup

But in the code there is (EasyX509TrustManager.java):

if ((certificates != null) && (certificates.length == 1)) {
 certificates[0].checkValidity();
} else {
 standardTrustManager.checkServerTrusted(certificates,authType);
}


If you self-sign the certificate this is ok, but if you use certificates 
from e.g. cacert.org you'll still get errors because there are 2 
certificates to validate, therefore

modify EasyX509TrustManager.java:

if (certificates != null) {
 for (int i=0; i < certificates.length; i++) {
   // System.out.println("Subject: "+certificates[i].getSubjectDN());
   // System.out.println("Issuer: "+certificates[i].getIssuerDN());
   // System.out.println("Not after: "+certificates[i].getNotAfter());
   // System.out.println("Not before: "+certificates[i].getNotBefore());
   certificates[i].checkValidity();
   // System.out.println("----");
 }
} else { // check Java's keystore
 standardTrustManager.checkServerTrusted(certificates,authType);
}


The final code looks similar to this:


 Protocol.registerProtocol("https", new 
Protocol("https",(ProtocolSocketFactory)new 
EasySSLProtocolSocketFactory(), 443));       
 HttpClient client = new HttpClient();
 client.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new 
DefaultHttpMethodRetryHandler(2, true));       
 client.getHttpConnectionManager().getParams().setConnectionTimeout(5000);

 GetMethod get = new GetMethod(url);



Maybe someone can add this to the SSL Guide 
(http://jakarta.apache.org/commons/httpclient/sslguide.html).


Regards,
Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to