> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski <ol...@apache.org> wrote: > > On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote: >> Hi Oleg, >> >> Thanks for response…I don’t know if I’m seeing this up right. >> >> Does anyone have the steps handy to have a Tomcat and HttpClient communicate >> with each other using self signed keys? >> >> -Matt >> > > Matt, > > When it comes to SSL one _must_ know exactly what he or she is doing. > > Does the server use a self-signed cert (there is only one certificate in > the cert chain) or does it use a cert signed by a custom CA (the cert > chain consists of multiple certs)?
The server has a self signed cert. > > When configured to use TrustSelfSignedStrategy HttpClient will accept > the former but will reject the latter unless explicitly set up to trust > the custom CA. > > So, what is it you are trying to do? Good question. I started out wanting to get a private internal client/server communicating with SSL, using keys generated with key tool, which I’ve done before but with much older versions of HttpClient. That devolved into just getting anything working. Basically, I generated the server key like this: keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server.p12 -validity 3650 -keypass change -it storepass changeit The client keystore i generated with exact same command except different alias. From the client keystore I exported its cert keytool -export -alias client -file client.cer -storetype PKCS12 -keystore keystore.p12 Then I created a trust store on the server and put in the clients cert keytool -import -file ../client/client.cer -storetype PKCS12 -keystore src/main/resources/truststore.p12 On the server, I specified the path to the trust store and its password. With SSL debugging on, the client prints out the server’s cert, but then says: %% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2 RegisterServiceImpl RUNNING, called closeSocket() RegisterServiceImpl RUNNING, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Should I also export the server's cert to the client’s trust store? -Matt > > You might also want to run your app with SSL debugging turned and find > out why the SSL security provider rejects server creds presented during > the SSL session handshake. > > Oleg >
