Re: CloseableHttpClient and custom verification of SSL session

Mon, 22 Aug 2016 11:19:58 -0700 

Hello,

I guess it depends on the definition of "verifying session", for
example I was using the TrustStrategy to do (additional) certificate
public key info pinning:

  pinnedCertTrust = new PinnedCertTrust("...=");
  // this context falls back to system trust material (but first checks pinning)
  SSLContext sslcontext = SSLContexts.custom().useProtocol("TLSv1.2")
                                              
.loadTrustMateria(pinnedCertTrust).build();
  // Allow TLSv1.2 protocol only
  SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
                                           new String[] { "TLSv1.2" },
                                           null,
                                           
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
  builder.setSSLSocketFactory(sslsf);

If the pin fails it throws a CertificateException, when it suceeds it
returns false (which falls back to doing all normal trust checks in
addition to the pinning).

Gruss
Bernd




Am Mon, 22 Aug 2016 17:09:34 +0200
schrieb Oleg Kalnichevski <ol...@apache.org>:

> On August 22, 2016 2:50:35 PM GMT+02:00, Sachin Nikumbh
> <sachin.niku...@mathworks.com> wrote:
> >Hi Oleg,
> >
> >Thanks for your response. I had thought of using custom
> >HostnameVerifier. However, it only gets called if the default
> >hostname verification fails and that won’t work for me. We need to
> >do the custom verification for the server certificate when the
> >default hostname verification is successful as well.
> >
> >We have an existing code that uses CloseableHttpAsyncClient. We have
> >solved our problem by using a custom SSLIOSessionStrategy,
> >RegistryBuilder and PoolingNHttpClientConnectionManager. Is there any
> >way to use similar technique with the CloseableHttpClient?
> >
> >Thanks
> >Sachin
> >
> 
> ConnectionSocketFactory in the classic HttpClient module will give
> you full control over the process of socket initialization. See the
> stock SSL implementation for details and use it as a starting point.
> 
> Oleg
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Reply via email to