Re: Restlet client connecting to server with self signed certificate
Thanks for your inputs, they were helpful. This is how I am able to resolve the issues I was facing. I know this is not the best way to deal with things but it can be handy at times to go past HTTPS jitters- pom.xml === org.restlet org.restlet 1.1.8 com.noelios.restlet com.noelios.restlet 1.1.8 com.noelios.restlet com.noelios.restlet.ext.httpclient 1.1.8 org.jsslutils jsslutils-extra-apachehttpclient3 0.5 === if (protocol.equalsIgnoreCase("https")) { SSLContext sc = getCustomSSLFactory(); SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(sc); secureProtocolSocketFactory.setHostnameVerification(false); org.apache.commons.httpclient.protocol.Protocol .registerProtocol( "https", new org.apache.commons.httpclient.protocol.Protocol( "https", (ProtocolSocketFactory)secureProtocolSocketFactory, 443)); } Response resp = client.handle(request); private SSLContext getCustomSSLFactory() { SSLContext sc = null; // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } } }; // Install the all-trusting trust manager try { sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); } catch (Exception e) { } return sc; } Thanks very much, Rocky -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4559775.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2447004
Re: Restlet client connecting to server with self signed certificate
On 11/02/2010 23:14, Rocky V wrote: >>> >>> Do you mean to say, I can use something like this: >>> secureProtocolSocketFactory = new >>> SslContextedSecureProtocolSocketFactory(...); >>> org.apache.commons.httpclient.protocol.Protocol >>> .registerProtocol( >>> "https", new org.apache.commons.httpclient.protocol.Protocol( >>> "https", (ProtocolSocketFactory)secureProtocolSocketFactory, >>> 443)); > > I was referring to this SslContextedSecureProtocolSocketFactory > (although you could find other ways to do it): > http://code.google.com/p/jsslutils/wiki/ApacheHttpClientUsage > > So all you'd have to do would be (with your SSLContext as below): > > SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = > new SslContextedSecureProtocolSocketFactory(sc); > Protocol.registerProtocol("https", new Protocol("https", > (ProtocolSocketFactory)secureProtocolSocketFactory, 443)); > > (if you're using the Apache client connector, otherwise use > HttpsURLConnection as you've done.) > > I could find one org.jjsutils.jar inside restlet/lib > \restlet-1.1.7\lib\org.jsslutils_0.5 > but I don't see the class you mentioned > The closest is SSLContextFactory.class > Am I looking at wrong place ? Where can I find this class (which jar) Good point, I should make the wiki page I mentioned above clearer. When it says this doesn't depend on jSSLutils, I forget to say it's not in the same jar. The link to this jar file is available from jSSLutils's main page: http://jsslutils.googlecode.com/files/jsslutils-extra-apachehttpclient3-0.5.jar Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446966
Re: Restlet client connecting to server with self signed certificate
Rocky V wrote: > >>> >>> Do you mean to say, I can use something like this: >>> secureProtocolSocketFactory = new >>> SslContextedSecureProtocolSocketFactory(...); >>> org.apache.commons.httpclient.protocol.Protocol >>> .registerProtocol( >>>"https", new org.apache.commons.httpclient.protocol.Protocol( >>> "https", (ProtocolSocketFactory)secureProtocolSocketFactory, >>> 443)); > >>>I was referring to this SslContextedSecureProtocolSocketFactory >>>(although you could find other ways to do it): >>>http://code.google.com/p/jsslutils/wiki/ApacheHttpClientUsage > >>>So all you'd have to do would be (with your SSLContext as below): > >>>SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = >>>new SslContextedSecureProtocolSocketFactory(sc); >>>Protocol.registerProtocol("https", new Protocol("https", >>>(ProtocolSocketFactory)secureProtocolSocketFactory, 443)); > >>>(if you're using the Apache client connector, otherwise use >>>HttpsURLConnection as you've done.) > > Typo error: > I could NOT find one org.jjsutils.jar inside restlet/lib > \restlet-1.1.7\lib\org.jsslutils_0.5 > but I don't see the class you mentioned > The closest is SSLContextFactory.class > Am I looking at wrong place ? Where can I find this class (which jar) > > Thanks for other part of your response. Informative though little > challenging to follow in practical world > of tight deadlines and high expectations. But I am def. gonna take that > point up with team and I agree > that's how it HTTPs be tested (otherwise it's like sheep in wolf's > clothing) > > > -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4558078.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446950
Re: Restlet client connecting to server with self signed certificate
>> >> Do you mean to say, I can use something like this: >> secureProtocolSocketFactory = new >> SslContextedSecureProtocolSocketFactory(...); >> org.apache.commons.httpclient.protocol.Protocol >> .registerProtocol( >>"https", new org.apache.commons.httpclient.protocol.Protocol( >> "https", (ProtocolSocketFactory)secureProtocolSocketFactory, >> 443)); I was referring to this SslContextedSecureProtocolSocketFactory (although you could find other ways to do it): http://code.google.com/p/jsslutils/wiki/ApacheHttpClientUsage So all you'd have to do would be (with your SSLContext as below): SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(sc); Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory)secureProtocolSocketFactory, 443)); (if you're using the Apache client connector, otherwise use HttpsURLConnection as you've done.) I could find one org.jjsutils.jar inside restlet/lib \restlet-1.1.7\lib\org.jsslutils_0.5 but I don't see the class you mentioned The closest is SSLContextFactory.class Am I looking at wrong place ? Where can I find this class (which jar) Thanks for other part of your response. Informative though little challenging to follow in practical world of tight deadlines and high expectations. But I am def. gonna take that point up with team and I agree that's how it HTTPs be tested (otherwise it's like sheep in wolf's clothing) -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4558072.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446947
Re: Restlet client connecting to server with self signed certificate
Hi Rocky, On 10/02/2010 19:08, Rocky V wrote: > Bruno Harbulot wrote: >> Rocky V wrote: >>> I am on Restlet 1.1.5 and can upgrade to 1.1.8 (last known stable version >>> from restlet.org) if need arises. >>> My problem is to trust all certificates for my Restlet client using HTTPS >>> (apache common). >> >> I realize this is not the correct way to do it but for test purpose it's >> really useful. >> I have seen some other post between you and some one else mentioning that >> it is too much of overhead >> of putting the right SSL certificate in test environment and it should be >> avoided. >> And moreover, since we are testing >> in a sort of VPN environment not exposed to external world, for my >> purpose, I presume we are safe. (I can't remember that discussion, but fair enough...) >> [...] >> >> Reason for avoiding the option of not importing certificates is: >> We have multiple test beds (hosts) as we call it and we may run our tests >> against any of these test beds so it basically means, import certificates >> for all these test beds and again if we introduce a new test bed this code >> can break- >> Once we are close to finalizing one single environment, we can import one >> certificate for that >> host and then this is not a issue but for now importing these certificates >> is pain and I want to avoid manual step. Since, I am in automation team, >> our goal is to have max automation. I'll try to answer your original question below, but here is another suggestion: From what I understand, the system that deploys your application onto the test beds generates self-signed certificates upon deployment, for the purpose of testing. In this case, you could create a test CA before deployment and, instead of generating self-signed certificates, generate certificates signed with this CA (because you would ship the CA's private key as part of the deployment script, for testing purposes). To avoid clashes between certificates, I'd use serial number 1 for the CA certificate and a random 64-bit serial number for each generated certificate (or something along those lines). Since you'd know the CA certificate before deployment, you could put it in the clients' truststore beforehand. >> You might want to have a look at this, as a workaround using the Apache >> HTTP client connector, for Restlet 1. >> http://restlet.tigris.org/issues/show_bug.cgi?id=586#desc4 >> >> >> Do you mean to say, I can use something like this: >> secureProtocolSocketFactory = new >> SslContextedSecureProtocolSocketFactory(...); >> org.apache.commons.httpclient.protocol.Protocol >> .registerProtocol( >>"https", new org.apache.commons.httpclient.protocol.Protocol( >> "https", (ProtocolSocketFactory)secureProtocolSocketFactory, >> 443)); I was referring to this SslContextedSecureProtocolSocketFactory (although you could find other ways to do it): http://code.google.com/p/jsslutils/wiki/ApacheHttpClientUsage So all you'd have to do would be (with your SSLContext as below): SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(sc); Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory)secureProtocolSocketFactory, 443)); (if you're using the Apache client connector, otherwise use HttpsURLConnection as you've done.) >> where: >> >> secureProtocolSocketFactory = getCustomSocketFactoryForTrustAll(); >> (To trust all server certificates for my requirement) >> >> private SSLSocketFactory getCustomSocketFactoryForTrustAll() { >> SSLContext sc = null; >> // Create a trust manager that does not validate certificate >> chains >> TrustManager[] trustAllCerts = new TrustManager[]{ >> new X509TrustManager() { >> public java.security.cert.X509Certificate[] >> getAcceptedIssuers() >> { >> return null; >> } >> public void checkClientTrusted( >> java.security.cert.X509Certificate[] certs, String >> authType) >> { >> } >> public void checkServerTrusted( >> java.security.cert.X509Certificate[] certs, String >> authType) >> { >> } >> } >> }; >> >> // Install the all-trusting trust manager >> try { >> sc = SSLContext.getInstance("SSL"); >> sc.init(null, trustAllCerts, new >> java.security.SecureRandom()); >> >> //HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); >> } catch (Exception e) { >> } >> return sc.getSocketFactory(); >> } >> >> >> For now, it has taken me almost 4 days to find this workaround. >> Unfortunately, I could not find >> any post for this. I am sure this can be very usefu
Re: Restlet client connecting to server with self signed certificate
X509Certificate[] > getAcceptedIssuers() > { > return null; > } > public void checkClientTrusted( > java.security.cert.X509Certificate[] certs, String > authType) > { > } > public void checkServerTrusted( > java.security.cert.X509Certificate[] certs, String > authType) > { > } > } > }; > > // Install the all-trusting trust manager > try { > sc = SSLContext.getInstance("SSL"); > sc.init(null, trustAllCerts, new > java.security.SecureRandom()); > > //HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); > } catch (Exception e) { > } > return sc.getSocketFactory(); > } > > Do you think this is correct ? > >> I have been able to import the certificate in JVM using keytool and go >> past >> SSL exceptions but that is not a feasible option. This introduces a >> manual >> step and I have written Restlet client code to automate Rest webservice >> testing. Also, we have multiple unsigned certificates due to multiple >> hosts >> in test environment. > > I guess what you're trying to do is OK in a test environment... if you > make sure that code doesn't end up in production. > > > > For now, it has taken me almost 4 days to find this workaround. > Unfortunately, I could not find > any post for this. I am sure this can be very useful for lot of folks who > would in first > place like to test HTTPS and then get into nitty gritty of doing the right > thing eventually. > > Best Regards, > Rocky > > > > Best wishes, > > Bruno. > > -- > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446390 > > -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4550083.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446498
Re: Restlet client connecting to server with self signed certificate
Hi Rocky, Rocky V wrote: > I am on Restlet 1.1.5 and can upgrade to 1.1.8 (last known stable version > from restlet.org) if need arises. > My problem is to trust all certificates for my Restlet client using HTTPS > (apache common). Am I right in understanding that you want your client to trust any server certificate it encounters, without prompting the user? If so, do you realise that this makes your connection prone to man-in-the-middle attacks, therefore making using SSL a bit pointless? (Note that the security logic for trusting any server certificate is very different to that for trusting any client certificate. Verification of the server certificate is essential.) > I saw this thread suggesting setting SSLContextFactory but this method is > only available for Restlet 2.x versions which I can't upgrade to since it is > snapshot and my organization won't permit to upgrade to unstable > (supposedly) versions. > > Can you please suggest probably through snippet of code > how can I trust all certificates like this in Restlet client: > http://exampledepot.com/egs/javax.net.ssl/TrustAll.html > You might want to have a look at this, as a workaround using the Apache HTTP client connector, for Restlet 1. http://restlet.tigris.org/issues/show_bug.cgi?id=586#desc4 > I have been able to import the certificate in JVM using keytool and go past > SSL exceptions but that is not a feasible option. This introduces a manual > step and I have written Restlet client code to automate Rest webservice > testing. Also, we have multiple unsigned certificates due to multiple hosts > in test environment. I guess what you're trying to do is OK in a test environment... if you make sure that code doesn't end up in production. Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446390
Re: Restlet client connecting to server with self signed certificate
Hi, I am on Restlet 1.1.5 and can upgrade to 1.1.8 (last known stable version from restlet.org) if need arises. My problem is to trust all certificates for my Restlet client using HTTPS (apache common). I saw this thread suggesting setting SSLContextFactory but this method is only available for Restlet 2.x versions which I can't upgrade to since it is snapshot and my organization won't permit to upgrade to unstable (supposedly) versions. Can you please suggest probably through snippet of code how can I trust all certificates like this in Restlet client: http://exampledepot.com/egs/javax.net.ssl/TrustAll.html I have been able to import the certificate in JVM using keytool and go past SSL exceptions but that is not a feasible option. This introduces a manual step and I have written Restlet client code to automate Rest webservice testing. Also, we have multiple unsigned certificates due to multiple hosts in test environment. Thanks for your response in advance. thanks, Rocky -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4544753.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446276
RE: Restlet client connecting to server with self signed certificate
Hi Chris, One option is to import your additional certificate in the cacert trust store. See an example here: http://www.charlesproxy.com/documentation/using-charles/ssl-certificates/ If you don't want to change it for all your JVM apps, then you could copy it somewhere else before and import the additional certificates right after. Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : Oblivian [mailto:ch...@carlsoncentral.com] Envoyé : vendredi 25 septembre 2009 23:54 À : discuss@restlet.tigris.org Objet : Restlet client connecting to server with self signed certificate I have a restlet client that needs to connect to a server with a untrusted cert. Other parts of my application need to connect to servers with trusted certs. I tried setting the trustStore in my client as follows, but once I did this it broke HTTPS calls to servers with trusted certificates. I'm assuming because my custom keystore is missing all the default cacert entries. System.setProperty("javax.net.ssl.trustStore", new File(ccdResourceKeystore).getAbsolutePath()); System.setProperty("javax.net.ssl.trustStorePassword", ccdResourceKeystorePassword); Is there a way to have this client use a provided keystore and everything else in my app use the standard jre cacert? I don't really want to muck with the jre provided keystore if possible, I would like my client to just work if I ever decide to update the jre, or deploy on a different server. Is the same logic that applies to a restlet server supposed to work with a client? Series parameters = client.getContext().getParameters(); parameters.add("sslContextFactory", "org.restlet.engine.security.DefaultSslContextFactory"); parameters.add("keystorePath", "blah"); parameters.add("keystorePassword", "blah"); -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-ce rtificate-tp3715127p3715127.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24004 33 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2407088
Restlet client connecting to server with self signed certificate
I have a restlet client that needs to connect to a server with a untrusted cert. Other parts of my application need to connect to servers with trusted certs. I tried setting the trustStore in my client as follows, but once I did this it broke HTTPS calls to servers with trusted certificates. I'm assuming because my custom keystore is missing all the default cacert entries. System.setProperty("javax.net.ssl.trustStore", new File(ccdResourceKeystore).getAbsolutePath()); System.setProperty("javax.net.ssl.trustStorePassword", ccdResourceKeystorePassword); Is there a way to have this client use a provided keystore and everything else in my app use the standard jre cacert? I don't really want to muck with the jre provided keystore if possible, I would like my client to just work if I ever decide to update the jre, or deploy on a different server. Is the same logic that applies to a restlet server supposed to work with a client? Series parameters = client.getContext().getParameters(); parameters.add("sslContextFactory", "org.restlet.engine.security.DefaultSslContextFactory"); parameters.add("keystorePath", "blah"); parameters.add("keystorePassword", "blah"); -- View this message in context: http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p3715127.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2400433