Re: SSL connection
On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/or g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java.s ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStrat egy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: SSL connection
Oleg, I close the connection pool by using this.objHttp.getConnectionManager().shutdown(); About the expired connections, I have an idleConnectionsHandler that every 5 seconds removes expired connections and those that take idle longer than 5 seconds: private ClientConnectionManager cm; (...) this.cm.closeExpiredConnections(); this.cm.closeIdleConnections(5, TimeUnit.SECONDS); (...) That's why I though that the pool should be empty after 1 minute. Regards, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 10:36 Para: HttpClient User Discussion Asunto: Re: SSL connection On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/ or g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java .s ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStr at egy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe
Re: SSL connection
On Mon, 2013-12-02 at 11:16 +0100, Joan Balagueró wrote: Oleg, I close the connection pool by using this.objHttp.getConnectionManager().shutdown(); About the expired connections, I have an idleConnectionsHandler that every 5 seconds removes expired connections and those that take idle longer than 5 seconds: private ClientConnectionManager cm; (...) this.cm.closeExpiredConnections(); this.cm.closeIdleConnections(5, TimeUnit.SECONDS); (...) That's why I though that the pool should be empty after 1 minute. Regards, Joan. Nothing in the connection pool can survive a call to #shutdown(). Can it be that you have some other processes connected to the same Tomcat instance? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 10:36 Para: HttpClient User Discussion Asunto: Re: SSL connection On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/ or g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java .s ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStr at egy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
RE: SSL connection
Oleg, What I would mean was: 1. I send 8 https requests, then I have 8 connections in the pool. 2. I have a keep-alive of 20 seconds. Then, I wait 1 min. 3. After 1 min, all connections should be removed from the pool (due to my IdleConnectionHandler, that works fine) 4. Then, I shutdown tomcat. 5. Then, I expect no messages because there are no connections in pool. But I see exactly 8 messages like this: main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) 6. If I repeat the process sending 5 requests, then I see 5 messages. One per connection. That's why I though this was something related to Http pool, as if the connections were not expired. But if you say that you don't print these messages, then I am a bit lost (because tomcat guys also say that they don't print these messages, and me neither). Anyway, thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 16:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Mon, 2013-12-02 at 11:16 +0100, Joan Balagueró wrote: Oleg, I close the connection pool by using this.objHttp.getConnectionManager().shutdown(); About the expired connections, I have an idleConnectionsHandler that every 5 seconds removes expired connections and those that take idle longer than 5 seconds: private ClientConnectionManager cm; (...) this.cm.closeExpiredConnections(); this.cm.closeIdleConnections(5, TimeUnit.SECONDS); (...) That's why I though that the pool should be empty after 1 minute. Regards, Joan. Nothing in the connection pool can survive a call to #shutdown(). Can it be that you have some other processes connected to the same Tomcat instance? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 10:36 Para: HttpClient User Discussion Asunto: Re: SSL connection On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request
RE: SSL connection
Joan Balagueró joan.balagu...@grupoventus.com wrote: Oleg, What I would mean was: 1. I send 8 https requests, then I have 8 connections in the pool. 2. I have a keep-alive of 20 seconds. Then, I wait 1 min. 3. After 1 min, all connections should be removed from the pool (due to my IdleConnectionHandler, that works fine) 4. Then, I shutdown tomcat. 5. Then, I expect no messages because there are no connections in pool. But I see exactly 8 messages like this: main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) 6. If I repeat the process sending 5 requests, then I see 5 messages. One per connection. That's why I though this was something related to Http pool, as if the connections were not expired. But if you say that you don't print these messages, then I am a bit lost (because tomcat guys also say that they don't print these messages, and me neither). Anyway, thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 16:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Mon, 2013-12-02 at 11:16 +0100, Joan Balagueró wrote: Oleg, I close the connection pool by using this.objHttp.getConnectionManager().shutdown(); About the expired connections, I have an idleConnectionsHandler that every 5 seconds removes expired connections and those that take idle longer than 5 seconds: private ClientConnectionManager cm; (...) this.cm.closeExpiredConnections(); this.cm.closeIdleConnections(5, TimeUnit.SECONDS); (...) That's why I though that the pool should be empty after 1 minute. Regards, Joan. Nothing in the connection pool can survive a call to #shutdown(). Can it be that you have some other processes connected to the same Tomcat instance? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 10:36 Para: HttpClient User Discussion Asunto: Re: SSL connection On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server
RE: SSL connection
Hello, Yes, ssl debug is enabled. But what we are discussing now is why 'someone' is closing 8 http connections that should be already closed. I'll do what Oleg proposes, inspect the pool before shutting down tomcat. Thanks, Joan. -Mensaje original- De: thc...@gmail.com [mailto:thc...@gmail.com] Enviado el: lunes, 2 de diciembre de 2013 19:40 Para: HttpClient User Discussion Asunto: Re: SSL connection Hi. That's why I though this was something related to Http pool, as if the connections were not expired. But if you say that you don't print these messages, then I am a bit lost (because tomcat guys also say that they don't print these messages, and me neither). Those messages looks a lot like JSSE debugging messages [1]. Do you know if the System property javax.net.debug [2] is activated? [1] http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html [2] http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug Best regards. On 2 December 2013 17:40, Joan Balagueró joan.balagu...@grupoventus.com wrote: Oleg, What I would mean was: 1. I send 8 https requests, then I have 8 connections in the pool. 2. I have a keep-alive of 20 seconds. Then, I wait 1 min. 3. After 1 min, all connections should be removed from the pool (due to my IdleConnectionHandler, that works fine) 4. Then, I shutdown tomcat. 5. Then, I expect no messages because there are no connections in pool. But I see exactly 8 messages like this: main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) 6. If I repeat the process sending 5 requests, then I see 5 messages. One per connection. That's why I though this was something related to Http pool, as if the connections were not expired. But if you say that you don't print these messages, then I am a bit lost (because tomcat guys also say that they don't print these messages, and me neither). Anyway, thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 16:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Mon, 2013-12-02 at 11:16 +0100, Joan Balagueró wrote: Oleg, I close the connection pool by using this.objHttp.getConnectionManager().shutdown(); About the expired connections, I have an idleConnectionsHandler that every 5 seconds removes expired connections and those that take idle longer than 5 seconds: private ClientConnectionManager cm; (...) this.cm.closeExpiredConnections(); this.cm.closeIdleConnections(5, TimeUnit.SECONDS); (...) That's why I though that the pool should be empty after 1 minute. Regards, Joan. Nothing in the connection pool can survive a call to #shutdown(). Can it be that you have some other processes connected to the same Tomcat instance? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: lunes, 2 de diciembre de 2013 10:36 Para: HttpClient User Discussion Asunto: Re: SSL connection On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote: Hello Oleg, Thanks for you help. Everything works fine now. Just one more question: when I shutdown Tomcat, I see this message in catalina.out (ssl debug enabled): main, called close() main, called closeInternal(true) main, SEND TLSv1 ALERT: warning, description = close_notify main, WRITE: TLSv1 Alert, length = 18 main, called closeSocket(selfInitiated) If I send 8 https requests, this message appears 8 times when shutting down tomcat. It seems that HttpClient is closing the http connection pool (in fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm waiting more than 1 minute (from the last request sent) before shutting down tomcat (so I understand that all connections should be expired and removed from the pool). I suppose I'm missing something. Could you clarify me this point, please? Thanks, Joan. Joan I do not know SSL protocol that intimately, but it looks like this message basically means that the server had to initiate connection shutdown and notify the client. I do not think there is anything wrong with that. Please note that expired connections in the client connection pool do not get evicted automatically if the pool is inactive. One needs to explicitly call #closeExpired to make it happen. How exactly do you close the connection pool on the client side? Oleg -Mensaje original- De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: jueves, 28 de noviembre de 2013 22:12 Para: HttpClient User Discussion Asunto: Re: SSL connection On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some
Re: SSL connection
On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/org/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java.security.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStrategy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL connection
public GPSSL() { String URLs = https://myserver.doamin.kz;; URL url = new URL(URLs); con = (HttpsURLConnection) url.openConnection(); con.setSSLSocketFactory(getFactory(new File(key/keys.p12), 1234)); Authenticator.setDefault(new MyAuthenticator()); con.setAllowUserInteraction(true); con.setUseCaches(false); con.setAllowUserInteraction(false); con.setDoOutput(true); con.setDoInput(true); //con.setRequestProperty(Content-Type,application/xml; charset=utf-8); con.connect(); System.out.println(con.getResponseCode()); } class MyAuthenticator extends Authenticator { protected PasswordAuthentication getPasswordAuthentication() { PasswordAuthentication passwordAuthentication = new PasswordAuthentication(domain\\Grigoriy.Polyakov, 12345.toCharArray()); con.getRequestProperties(); return passwordAuthentication; } } private SSLSocketFactory getFactory(File pKeyFile, String pKeyPassword) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException, KeyManagementException { KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyStore keyStore = KeyStore.getInstance(PKCS12); InputStream keyInput = new FileInputStream(pKeyFile); keyStore.load(keyInput, pKeyPassword.toCharArray()); keyInput.close(); keyManagerFactory.init(keyStore, pKeyPassword.toCharArray()); TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { //To change body of implemented methods use File | Settings | File Templates. } public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; SSLContext context = SSLContext.getInstance(TLS); context.init(keyManagerFactory.getKeyManagers(), trustAllCerts, new SecureRandom()); return context.getSocketFactory(); } 28.11.13, 15:23 пользователь Oleg Kalnichevski ol...@apache.org написал: On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/org/ap ache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java.security. KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStrategy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: SSL connection
Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/org/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java.security.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStrategy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL connection
On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: Hello Oleg, Thanks. I've been seeing some HttpClient samples. Some of them set the trustStore/keyStore directly to the SSLSocketFactory. SSLSocketFactory constructors internally create an SSLContext instance and initialize it with the trust / key material passed as parameters. And others create an SSLContext with them and then set this SSLContext to the SSLSocketFactory. Any advantage from one respect to the other? No, not really. Simply a matter of convenience. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly wha Thanks, Joan. -Mensaje original- De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 28 de noviembre de 2013 10:24 Para: HttpClient User Discussion Asunto: Re: SSL connection On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote: Hello, I have an application (servlet running on tomcat) that must send a https request to a server that requires client authentication. Tomcat has correctly installed the truststore and keystore. But I understand that when our app sends the https request, I have to attach the client authentication required by the server. Can anyone address to any doc where I can see how to do this? Thanks, J. There is enough good material on SSL fundamentals on the web. Just google it out. As far as HC APIs are concerned SSLContextBuilder should help you set up the correct SSL context for your application. Most likely you will need to load the private key and add it to the context using this method [1]. Oleg [1] http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/org/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java.security.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStrategy%29 - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL connection
On Thu, 2013-11-28 at 22:12 +0100, Oleg Kalnichevski wrote: On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote: .. Furthermore, when using SSLContext we need to create an instance using the secure socket protocol. Is there any way to accept all secure protocols? I am not sure what you mean by that. Exactly what protocols are supported depends on protocol provider implementation. I think the 'TLS' security protocol provider should also support all SSL versions and is a safe default. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL connection with client certificate authentication closing randomly
Hello Mike, we have been running into the same issue, but with HttpClient 4.1.1. Did you find a solution ? Regards, Florent -- View this message in context: http://old.nabble.com/SSL-connection-with-client-certificate-authentication-closing-randomly-tp30762412p31293233.html Sent from the HttpClient-User mailing list archive at Nabble.com. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL connection with client certificate authentication closing randomly
I forgot to mention that I am using HttpClient 3.1. On Tue, Jan 25, 2011 at 2:07 PM, Michael Lam lammg0...@gmail.com wrote: Hi all, We have been running into an issue lately where our client certificate authenticated SSL connections are randomly closing with a TLS alert close_notify. The strange thing is that out of 10 tries, the connection may work maybe around 2-3 times. All other times, the connections will receive a close_notify and the connection will close. For comparison purposes, we tried using command-line CURL to submit the same request with client certificate authentication and we were able to connect and send data without issues every time. Below is the debug (with -Djavax.net.debug=all) output from a sample session. I have removed the actual data and replaced them with place holders. ... more data and messages Client MAC write Secret: data Server MAC write Secret: data Client write key: data Server write key: data ... no IV used for this cipher Padded plaintext before ENCRYPTION: len = 17 data main, WRITE: TLSv1 Change Cipher Spec, length = 17 [Raw write]: length = 22 data *** Finished verify_data: data *** [write] MD5 and SHA1 hashes: len = 16 data Padded plaintext before ENCRYPTION: len = 32 data main, WRITE: TLSv1 Handshake, length = 32 data main, received EOFException: ignored main, called closeInternal(false) main, SEND TLSv1 ALERT: warning, description = close_notify Padded plaintext before ENCRYPTION: len = 18 data main, WRITE: TLSv1 Alert, length = 18 main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error 2011-01-12 11:20:59,908 DEBUG org.apache.commons.httpclient.HttpMethodDirector - Closing the connection. 2011-01-12 11:20:59,908 DEBUG org.apache.commons.httpclient.HttpConnection - enter HttpConnection.close() 2011-01-12 11:20:59,908 DEBUG org.apache.commons.httpclient.HttpConnection - enter HttpConnection.closeSockedAndStreams() main, called close() main, called closeInternal(true) main, called close() main, called closeInternal(true) main, called close() main, called closeInternal(true) 2011-01-12 11:20:59,909 INFO org.apache.commons.httpclient.HttpMethodDirector - I/O exception (org.apache.commons.httpclient.NoHttpResponseException) caught when processing request: The server host failed to respond 2011-01-12 11:20:59,912 DEBUG org.apache.commons.httpclient.HttpMethodDirector - The server host failed to respond org.apache.commons.httpclient.NoHttpResponseException: The server www.callit.com failed to respond at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1976) at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at SSLConnectionTest.main(SSLConnectionTest.java:83) Here is the code I used to connect to the host: HttpClientParams params = new HttpClientParams(DefaultHttpParams.getDefaultParams()); HttpClient httpclient = new HttpClient(params); AuthSSLProtocolSocketFactory socketFactory = new AuthSSLProtocolSocketFactory(keyStoreFileUrl.toURL(), keyStorePwd, null, null); Protocol httpsProtocol = new Protocol(https, socketFactory, 443); httpclient.getHostConfiguration().setHost(www.myhost.com, 443, httpsProtocol); PostMethod httppost = new PostMethod(/vl/feature.asp); NameValuePair[] data = { new NameValuePair(Query, function), }; try { httppost.setRequestBody(data); httpclient.executeMethod(httppost); System.out.println(httppost.getResponseBodyAsString()); } catch (HttpException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } finally { httppost.releaseConnection(); } Within the AuthSSLProtocolSocketFactory, we also use the AuthSSLX509TrustManager and a custom KeyManager that stores the client certificate and private key. Any pointers or tips to help debug this issue will be greatly appreciated. Regards, Mike