Hi Oleg, Well, I finally got it working.
Apparently you can’t use PoolingClientConnectionManager with a custom SSL context without registering the SSLConnectionSocket factory, like so: Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder .<ConnectionSocketFactory> create().register("https", factory) .build(); PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry); this.client = HttpClients.custom() .setConnectionManager(cm) .build(); Thank you for your time. -Matt > On Feb 15, 2016, at 11:49 AM, Oleg Kalnichevski <ol...@apache.org> wrote: > > On Mon, 2016-02-15 at 11:40 -0500, Matt Chambers wrote: >>> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski <ol...@apache.org> wrote: >>> >>> On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote: >>>> Hi Oleg, >>>> >>>> Thanks for response…I don’t know if I’m seeing this up right. >>>> >>>> Does anyone have the steps handy to have a Tomcat and HttpClient >>>> communicate with each other using self signed keys? >>>> >>>> -Matt >>>> >>> >>> Matt, >>> >>> When it comes to SSL one _must_ know exactly what he or she is doing. >>> >>> Does the server use a self-signed cert (there is only one certificate in >>> the cert chain) or does it use a cert signed by a custom CA (the cert >>> chain consists of multiple certs)? >> >> The server has a self signed cert. >> >>> >>> When configured to use TrustSelfSignedStrategy HttpClient will accept >>> the former but will reject the latter unless explicitly set up to trust >>> the custom CA. >>> >>> So, what is it you are trying to do? >> >> Good question. >> >> I started out wanting to get a private internal client/server communicating >> with SSL, using keys generated with key tool, which I’ve done before but >> with much older versions of HttpClient. That devolved into just getting >> anything working. >> >> Basically, I generated the server key like this: >> keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 >> -keystore server.p12 -validity 3650 -keypass change -it storepass changeit >> >> The client keystore i generated with exact same command except different >> alias. >> >> From the client keystore I exported its cert >> keytool -export -alias client -file client.cer -storetype PKCS12 -keystore >> keystore.p12 >> >> Then I created a trust store on the server and put in the clients cert >> keytool -import -file ../client/client.cer -storetype PKCS12 -keystore >> src/main/resources/truststore.p12 >> > > Do, the server trusts the client but the client does not trust the > server? Is that what you really want? > > >> On the server, I specified the path to the trust store and its password. >> >> With SSL debugging on, the client prints out the server’s cert, but then >> says: >> >> %% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] >> RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT: fatal, description = >> certificate_unknown >> RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2 >> RegisterServiceImpl RUNNING, called closeSocket() >> RegisterServiceImpl RUNNING, handling exception: >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> >> Should I also export the server's cert to the client’s trust store? >> > > Shall I take a blue pill or a red one? > > Do you want the client to trust the server? > > Please post the complete SSL debug log (obfuscating sensitive stuff if > necessary). > > Oleg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > <mailto:httpclient-users-unsubscr...@hc.apache.org> > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > <mailto:httpclient-users-h...@hc.apache.org>