The test server I connect to has a self-signed certificate.
I get around the problem with less trouble this way:
First a class to fake verification
class LoginNullHostnameVerifier implements
javax.net.ssl.HostnameVerifier {
public boolean verify(String urlHostname, SSLSession session){
return true;
}
Next a boolean flag somewhere appropriate to decide if it's needed
if ( useNullVerifier){
HttpsURLConnection.setDefaultHostnameVerifier(new
LoginNullHostnameVerifier());
}
dga
>>> [EMAIL PROTECTED] 09/21/2005 11:51:28 AM >>>
The client code needed to automagically connect to a self signed cert
is not
as straight forward as one may hope.
I feel compelled to share this code, it was the vain of my existence
for
several days:
(One or more of these may be needed for the code snapshot to compile; I
have
more code supporting an older version buried within my app, so pick
and
choose)
import java.security.*;
import java.security.spec.*;
import java.security.cert.*;
import javax.crypto.*;
import org.apache.xmlrpc.*;
import org.apache.xmlrpc.secure.*;
import javax.net.ssl.SSLSocketFactory;
import com.sun.net.ssl.*;
private class WorkAroundX509TrustManager implements
X509TrustManager
{
public boolean isClientTrusted(X509Certificate[] chain){
return
true; }
public boolean isServerTrusted(X509Certificate[]
chain){
return true; }
public X509Certificate[] getAcceptedIssuers(){ return
null;
}
}
private class WorkAroundHostnameVerifier implements
HostnameVerifier
{
public boolean verify(String hostname, String session)
{
return true; }
}
if (host.url.startsWith("https:")) {
Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
X509TrustManager tm = new
WorkAroundX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
HostnameVerifier hmv = new
WorkAroundHostnameVerifier();
SSLContext sc =
SSLContext.getInstance("ssl");
sc.init(km,tma,new
java.security.SecureRandom());
SSLSocketFactory sf1 =
sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sf1);
HttpsURLConnection.setDefaultHostnameVerifier(hmv);
NetPermission np = new
NetPermission("setDefaultAuthenticator");
this.secureClient = new
SecureXmlRpcClient(host.url);
this.secureClient.setBasicAuthentication(host.user, host.getPass());
this.secure=true;
}else{
this.client = new
XmlRpcClient(host.url);
this.client.setBasicAuthentication(host.user, host.getPass());
this.secure=false;
}
The server is too easy of course:
logger.info("Starting HTTPS Server
with
keystore: " + config.keyfile);
SecurityTool.setKeyStore(config.keyfile);
SecurityTool.setKeyStorePassword("YourKeyStorePasswordHere");
SecureWebServer server = new
SecureWebServer(config.port);
Please forgive my usurping of the secure routines, I am not so worried
about
the encryption layer, I have control of the server and the clients for
this
app.
I know the errors generated from hitting a self signed cert are more
than a
little annoying though for some system programmers. Bits and pieces of
this
are documented somewhere, but who has the time.
Please spare me the debate about not signing your own keys, it will
fail to
stir the emotions you may hope in me.
It is a pleasure to finally be able to contribute a sober message on
this
list.
Good Luck, John
PS: I would like to note that I used to encrypt data on the wire
before
converting to XmlRpc and it was not fun, nor was the speed any better.
In
fact I believe ssl to be one of the fastest encryption protocols
available
today. My two cents.
John Buren Southerland
Southerland Consulting
801.467.8090(office)
214.734.8099(cell)
[EMAIL PROTECTED]
_____
From: Nicolas Hoibian [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 8:54 AM
To: [email protected]
Subject: Re: I need to encrypt xmlrpc calls
Sorry about the reply order. The correct sentence is :
"I think i did encrypt communications" , using SSL and the tools
provided
with the xmlrpc classes.
The client parameters are a bit more complicated. I'll post the code on
this
ml if you're interrested.
Nicolas Hoibian
2005/9/21, Nicolas Hoibian <[EMAIL PROTECTED]>:
2005/9/21, Tino Wildenhain <[EMAIL PROTECTED]>:
Starsscream Desepticon schrieb:
> Hello
>
> How do you encrypt XmlRpc messages? I've had a look at
> Xml Security, but it is for encrypting/signing Xml
> messages (documents). When using XmlRpc I don't touch
> Xml directly. So is there a way of making my XmlRpc
> methods save?
XMLRPC works over HTTP, so you usually just encrypt the
transport channel, meaning you use https (ssl).
HTH
Tino
I think i did so, using the Security Tool provided with xmlrpc and
some
black magic java keystore
//code in main :
SecurityTool.setKeyStore("keystoreFile");
SecurityTool.setTrustStore("keystoreFile");
SecurityTool.setKeyStorePassword("keystorePassword");
SecurityTool.setTrustStorePassword("keystorePassword");
server = new SecureWebServer(port);
server.addHandler("$default", handler);
server.start();
//code end
correct me if i m wrong, please.
Nicolas Hoibian
