On Mon, 2016-02-15 at 11:40 -0500, Matt Chambers wrote: > > On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski <ol...@apache.org> wrote: > > > > On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote: > >> Hi Oleg, > >> > >> Thanks for response…I don’t know if I’m seeing this up right. > >> > >> Does anyone have the steps handy to have a Tomcat and HttpClient > >> communicate with each other using self signed keys? > >> > >> -Matt > >> > > > > Matt, > > > > When it comes to SSL one _must_ know exactly what he or she is doing. > > > > Does the server use a self-signed cert (there is only one certificate in > > the cert chain) or does it use a cert signed by a custom CA (the cert > > chain consists of multiple certs)? > > The server has a self signed cert. > > > > > When configured to use TrustSelfSignedStrategy HttpClient will accept > > the former but will reject the latter unless explicitly set up to trust > > the custom CA. > > > > So, what is it you are trying to do? > > Good question. > > I started out wanting to get a private internal client/server communicating > with SSL, using keys generated with key tool, which I’ve done before but with > much older versions of HttpClient. That devolved into just getting anything > working. > > Basically, I generated the server key like this: > keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 > -keystore server.p12 -validity 3650 -keypass change -it storepass changeit > > The client keystore i generated with exact same command except different > alias. > > From the client keystore I exported its cert > keytool -export -alias client -file client.cer -storetype PKCS12 -keystore > keystore.p12 > > Then I created a trust store on the server and put in the clients cert > keytool -import -file ../client/client.cer -storetype PKCS12 -keystore > src/main/resources/truststore.p12 >
Do, the server trusts the client but the client does not trust the server? Is that what you really want? > On the server, I specified the path to the trust store and its password. > > With SSL debugging on, the client prints out the server’s cert, but then says: > > %% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] > RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT: fatal, description = > certificate_unknown > RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2 > RegisterServiceImpl RUNNING, called closeSocket() > RegisterServiceImpl RUNNING, handling exception: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > Should I also export the server's cert to the client’s trust store? > Shall I take a blue pill or a red one? Do you want the client to trust the server? Please post the complete SSL debug log (obfuscating sensitive stuff if necessary). Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org