On Mon, 2016-03-21 at 14:21 +0100, Bernd wrote:
> Hello,
>
> I am writing a TrustStrategy which is processing http.spki-pinning. I have
> one strategy instance per fingerprint (and use it only for one host).
>
> The isTrusted(chain, authType) method will return a CertificateException
> when the PIN is wrong, and it will "return false" when the pin is correct
> (defering all other checks to the system trust manager).
>
> I wonder now, is it guranteed that chain[0] contains the server certificate
> which is actually used for the handshake? The Javadoc only says "peer
> certificate chain" with no further description what can be dependent upon.
>
Bernd
I am afraid this is the wrong place to seek an authoritative answer to
this question. I believe that the first cert in the chain is the one
that uniquely identifies the peer in SSL handshake, but it is merely an
assumption.
Oleg
> In my special case the TrustStrategy is also executed before the
> TrustManager, does this mean I do need to do some more checks to make sure
> I actually verify the server certificate and not intermediate or excessive
> certificates?
>
> Using httpclient:4.5
>
> like this:
>
> HttpClientBuilder builder = HttpClients.custom();
> builder.disableCookieManagement();
> builder.disableAuthCaching();
> builder.disableRedirectHandling();
> TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93..");
> SSLContext sslcontext =
> SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build();
> SSLConnectionSocketFactory sslsf = new
> SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null,
> SSLConnectionSocketFactory.getDefaultHostnameVerifier());
> builder.setSSLSocketFactory(sslsf);
> CloseableHttpClient client = builder.build();
>
>
> Gruss
> Bernd
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
