Re: [OT] truststore and keystore SSL
Hi Guys, Its a self signed certificate. I posted here is because there seems to be no reply from the httpclient-us...@hc.apache.org. Will there be a lot of changes when we changed to commercial certificates ? On Tue, Dec 20, 2011 at 7:14 AM, Tim Watts t...@cliftonfarm.org wrote: On Mon, 2011-12-19 at 18:06 -0500, Christopher Schultz wrote: On 12/17/11 2:34 AM, Lau Eng Huat wrote: The question that I have now is how to get it to work with apache httpclient components. Have you tried the apache-commons mailing list? Actually Http Components has been a top level project for sometime and they have their own list: http://hc.apache.org/
Re: [OT] truststore and keystore SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lau, On 12/20/11 5:24 AM, Lau Eng Huat wrote: Its a self signed certificate. I posted here is because there seems to be no reply from the httpclient-us...@hc.apache.org. Will there be a lot of changes when we changed to commercial certificates ? If you have a commercially-signed certificate then the JVM will probably not complain because the certificate authority is already trusted. I haven't checked recently with Oracle Java, but StartSSL offers SSL certificates for free if you can prove that you have control over a domain name (it's a simple process). I know that Firefox trusts their CA, so it's possible that Java will do the same. Maybe you could use a free signed SSL certificate for development and avoid all this work. Or, you could do what we do when this kind of thing comes up and disable the trust manager. That requires that you write some code. You might be able to adapt this to affect only *one* SSLContext, but we install it JVM-wide. YMMV. public static void disableSSLCertificateChecking() { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; try { SSLContext sc = SSLContext.getInstance(SSL); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (KeyManagementException kme) { kme.printStackTrace(); } catch (NoSuchAlgorithmException nsae) { nsae.printStackTrace(); } } - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7wzyoACgkQ9CaO5/Lv0PB6HwCaArGDapXBeihGN8xEAoKOuBcj Gl0AoKoRl+cD69acg6tqM4heB6Yr5BMu =QAhi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] truststore and keystore SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lau, Marking OT because this is not a Tomcat question: it's either http-components or Java-in-general. On 12/17/11 2:34 AM, Lau Eng Huat wrote: The question that I have now is how to get it to work with apache httpclient components. Have you tried the apache-commons mailing list? I found that the SSLSocketFactory has 4 constructor class of interest. They are [snip: list of constructors] Which one should I used and the pro and cons of using this ? If I used item 2 method, which one is tomcathost.jks and trust.jks in the first parameter and 3rd parameter. The trust store is always the keystore that contains the certificates to be trusted. That means that the trust store needs to contain the certificate from your remote web server. If the certificate was signed by a globally-trusted certificate authority (CA) such as VeriSign, Thawte, etc. then you probably don't need to go through any of this. Is this a self-signed cert? The other question is how to load certificates dynamically in java, how do I achieved this ? You will have to work this out for yourself. Perhaps you can do periodic re-loading of a keystore? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7vw2cACgkQ9CaO5/Lv0PDreACgu9NyYUx27OX/IwPoQVa6FUm3 ZJAAn2v3Vy8H1ZjpYm2sbuFsei9T/OEn =/rrO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] truststore and keystore SSL
On Mon, 2011-12-19 at 18:06 -0500, Christopher Schultz wrote: On 12/17/11 2:34 AM, Lau Eng Huat wrote: The question that I have now is how to get it to work with apache httpclient components. Have you tried the apache-commons mailing list? Actually Http Components has been a top level project for sometime and they have their own list: http://hc.apache.org/ signature.asc Description: This is a digitally signed message part