Julius Thanks for the update! I occasionally follow jakarta-general. This looks like a very useful set of code. In fact we have two requirements that this seems to meet:
1) easily using different certs on different connections 2) working on any recent JDK, not just 1.5 I will happily support this for incubation if that's the right way to go. Paul On 2/24/07, Julius Davies <[EMAIL PROTECTED]> wrote:
Hi, There's a vote on "jakarta-general" to have Jakarta sponsor "not-yet-commons-ssl" for incubation. I thought Synapse might be interested. I recently did an "alpha" release ( 0.3.7) of "not-yet-commons-ssl" to help interop with Oleg's NIO-SSL stuff. Please take a look if you have some time! http://juliusdavies.ca/commons-ssl/ Here's a code example: ============================== SSLClient client = new SSLClient(); // Let's trust usual "cacerts" that come with Java. // (This is actually redundant unless a previous // setTrustMaterial() had wiped out the DEFAULT trust.) client.addTrustMaterial( TrustMaterial.DEFAULT ); // Plus, let's also trust a self-signed cert. client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) ); // To be different, let's allow for expired certificates (not recommended). client.setCheckExpiry( false ); client.setCheckCRL( true ); // Let's load a client certificate. Can be OpenSSL style PEM // or Netscape PCKS12 or Java Keystore format. // Max: 1 private-key per SSLClient instance. KeyMaterial km; km = new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ); client.setKeyMaterial( km ); // Get the SSLContext object to feed into Oleg's SSL-NIO module. SSLContext context = client.getSSLContext(); // [later....] String hostname = " mydomain.com"; X509Certificate cert = extractFromSSLSession(); // however you do that // It will throw an SSLException if verification fails. HostnameVerifier.DEFAULT.check( hostname, cert ); ========================================= not-yet-common-ssl also includes good support for hostname verification in all its sundry variations (wildcards, subject alt names, both at the same time!). But when using NIO-SSL you need to extract the X509Certificate and pass it into the HostnameVerifier.DEFAULT object. It's not automatic with NIO. It's only automatic with the blocking SSL. We based our hostname verification on this documentation: http://wiki.cacert.org/wiki/VhostTaskForce http://juliusdavies.ca/commons-ssl/javadocs/org/apache/commons/ssl/HostnameVerifier.html [Sorry about the rich-text. I'll follow up with a plain-text copy.] -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/
-- Paul Fremantle VP/Technology, WSO2 and OASIS WS-RX TC Co-chair http://bloglines.com/blog/paulfremantle [EMAIL PROTECTED] "Oxygenating the Web Service Platform", www.wso2.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
