Hi, [email protected], I'd like to add some refinements to this but I can't seem to subscribe to the mailing list.
[EMAIL PROTECTED] is telling me the mailing list has moved. If I succeed at subscribing, I'd like to mention two things: #1. Just some minor editing to Sudip's great instructions. #2. Things would be easier if TLSClientParameters could include setSSLSocketFactory/getSSLSocketFactory. That way people could do this: // Just a sub-class of javax.net.ssl.SSLSocketFactory SSLClient client = new SSLClient(); client.addTrustMaterial( TrustMaterial.DEFAULT ); client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) ); // To be different, let's allow for expired certificates (not recommended). client.setCheckHostname( true ); // default setting is "true" for SSLClient client.setCheckExpiry( false ); // default setting is "true" for SSLClient client.setCheckCRL( true ); // default setting is "true" for SSLClient // This method doesn't exist yet, but if people are interested, I'll send a patch. tlsClientParameters.setSSLSocketFactory(client); CXF wouldn't need to know anything about not-yet-commons-ssl, because org.apache.commons.ssl.SSLClient is a subclass of javax.net.ssl.SSLSocketFactory! Would CXF be interested in a patch like that? Other fancy libraries that offer handy sub-classes of javax.net.ssl.SSLSocketFactory would also benefit. (This should probably be sent to dev, not users - now people searching through google are going to start complaining that the tlsClientParameters.setSSLSocketFactory() method is missing!) yours, Julius On Thu, Apr 24, 2008 at 9:16 AM, sudip shrestha <[EMAIL PROTECTED]> wrote: > I have worked with the developer, Julius Davies > (http://juliusdavies.ca/commons-ssl/), of the commons-ssl solution which he > currently refers to "not-yet-commons-ssl" to work out a very simple and > resuable solution to develop a java client for ssl based connetions. This > library encapsulates all the internal ssl connections details. I am posting > this for the benefit of those who are trying to develop a client without > spring. > > 1. First download the commons-ssl library from > http://juliusdavies.ca/commons-ssl/download.html and extract the .jar file, > then run the following command: > java -jar not-yet-commons-ssl-0.3.10.jar -t localhost:443 -tm > /yourPathTo/host.crt > > 2. Then copy the section between -----BEGIN CERTIFICATE----- and -----END > CERTIFICATE----- and put it in a Certificate.java file or whichever way you > prefer. > > Then I have provided the code below: > 3. Client Code: > JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); > factory.setServiceClass( HelloWorld.class ); > factory.setAddress( "https://localhost/services/HelloWorld"; > ); > HelloWorld port = (HelloWorld) factory.create(); > > Client client = ClientProxy.getClient( port ); > HTTPConduit httpConduit = (HTTPConduit) client.getConduit(); > TLSClientParameters tlsParams = new TLSClientParameters(); > tlsParams.setSecureSocketProtocol("SSL"); > FiltersType filters = new FiltersType(); > filters.getInclude().add("SSL_RSA_WITH_RC4_128_MD5"); > filters.getInclude().add("SSL_RSA_WITH_RC4_128_SHA"); > tlsParams.setCipherSuitesFilter(filters); > > > tlsParams.setTrustManagers( getTrustManagers() ); > //<<=====================from step 4. > httpConduit.setTlsClientParameters(tlsParams); > > > 4. getTrustManagers function: > > private TrustManager[] getTrustManagers() > throws java.security.NoSuchAlgorithmException, > java.security.KeyStoreException, java.io.IOException, > java.security.GeneralSecurityException > { > byte[] pemCert = Certificates.pemCert_localhost; > //<<===========comes from your Certificate.java file where you would store > the cert content from step 2. > > TrustChain tc = new TrustChain(); > tc.addTrustMaterial( new TrustMaterial( pemCert ) ); > tc.addTrustMaterial( TrustMaterial.CACERTS ); > return ( TrustManager[] )tc.getTrustManagers(); > } > -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/
