Hi Oleg,
Well, I finally got it working.
Apparently you can’t use PoolingClientConnectionManager with a custom SSL
context without registering the SSLConnectionSocket factory, like so:
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder
.<ConnectionSocketFactory> create().register("https", factory)
.build();
PoolingHttpClientConnectionManager cm = new
PoolingHttpClientConnectionManager(socketFactoryRegistry);
this.client = HttpClients.custom()
.setConnectionManager(cm)
.build();
Thank you for your time.
-Matt
> On Feb 15, 2016, at 11:49 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> On Mon, 2016-02-15 at 11:40 -0500, Matt Chambers wrote:
>>> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski <ol...@apache.org> wrote:
>>>
>>> On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
>>>> Hi Oleg,
>>>>
>>>> Thanks for response…I don’t know if I’m seeing this up right.
>>>>
>>>> Does anyone have the steps handy to have a Tomcat and HttpClient
>>>> communicate with each other using self signed keys?
>>>>
>>>> -Matt
>>>>
>>>
>>> Matt,
>>>
>>> When it comes to SSL one _must_ know exactly what he or she is doing.
>>>
>>> Does the server use a self-signed cert (there is only one certificate in
>>> the cert chain) or does it use a cert signed by a custom CA (the cert
>>> chain consists of multiple certs)?
>>
>> The server has a self signed cert.
>>
>>>
>>> When configured to use TrustSelfSignedStrategy HttpClient will accept
>>> the former but will reject the latter unless explicitly set up to trust
>>> the custom CA.
>>>
>>> So, what is it you are trying to do?
>>
>> Good question.
>>
>> I started out wanting to get a private internal client/server communicating
>> with SSL, using keys generated with key tool, which I’ve done before but
>> with much older versions of HttpClient. That devolved into just getting
>> anything working.
>>
>> Basically, I generated the server key like this:
>> keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048
>> -keystore server.p12 -validity 3650 -keypass change -it storepass changeit
>>
>> The client keystore i generated with exact same command except different
>> alias.
>>
>> From the client keystore I exported its cert
>> keytool -export -alias client -file client.cer -storetype PKCS12 -keystore
>> keystore.p12
>>
>> Then I created a trust store on the server and put in the clients cert
>> keytool -import -file ../client/client.cer -storetype PKCS12 -keystore
>> src/main/resources/truststore.p12
>>
>
> Do, the server trusts the client but the client does not trust the
> server? Is that what you really want?
>
>
>> On the server, I specified the path to the trust store and its password.
>>
>> With SSL debugging on, the client prints out the server’s cert, but then
>> says:
>>
>> %% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
>> RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT: fatal, description =
>> certificate_unknown
>> RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2
>> RegisterServiceImpl RUNNING, called closeSocket()
>> RegisterServiceImpl RUNNING, handling exception:
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>>
>> Should I also export the server's cert to the client’s trust store?
>>
>
> Shall I take a blue pill or a red one?
>
> Do you want the client to trust the server?
>
> Please post the complete SSL debug log (obfuscating sensitive stuff if
> necessary).
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> <mailto:httpclient-users-unsubscr...@hc.apache.org>
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> <mailto:httpclient-users-h...@hc.apache.org>
