Re: HTTPClient SSL self signed cert

[Brent Putman]

On 2/15/16 12:52 PM, Matt Chambers wrote:
> Hi Oleg,
>
> Well, I finally got it working.
>
> Apparently you can’t use PoolingClientConnectionManager with a custom SSL 
> context without registering the SSLConnectionSocket factory, like so:
>
> Registry socketFactoryRegistry = 
> RegistryBuilder
> . create().register("https", factory)
> .build();
>
> PoolingHttpClientConnectionManager cm = new 
> PoolingHttpClientConnectionManager(socketFactoryRegistry);
>
> this.client = HttpClients.custom()
> .setConnectionManager(cm)
> .build();
>

Ah, ok.  Just wanted to note a couple of things:  There are indeed
numerous properties on the HttpClientBuilder (used by HttpClients) which
are overridden and not used if you specify a non-default connection
manager, including the SSL socket factory.  I believe these are all
documented in Javadoc on each method.

Also, in your original example:

this.client = HttpClients.custom()
.setConnectionManager(new PoolingHttpClientConnectionManager())
.setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom()
.loadTrustMaterial(null, new TrustSelfSignedStrategy())
.build()))
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();


since PoolingHttpClientConnectionManager is actually the builder
internal default, if you simply omitted the call to explicitly create
and set it, the above would have worked.  You'd really only need to
supply a connection manager explicitly like that if you wanted to set
other properties that the builder doesn't support, and/or use a
different connection manager impl.


--Brent

Re: HTTPClient SSL self signed cert

[Matt Chambers]

Hi Oleg,

Well, I finally got it working.

Apparently you can’t use PoolingClientConnectionManager with a custom SSL 
context without registering the SSLConnectionSocket factory, like so:

Registry socketFactoryRegistry = 
RegistryBuilder
. create().register("https", factory)
.build();

PoolingHttpClientConnectionManager cm = new 
PoolingHttpClientConnectionManager(socketFactoryRegistry);

this.client = HttpClients.custom()
.setConnectionManager(cm)
.build();

Thank you for your time.

-Matt

> On Feb 15, 2016, at 11:49 AM, Oleg Kalnichevski  wrote:
> 
> On Mon, 2016-02-15 at 11:40 -0500, Matt Chambers wrote:
>>> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski  wrote:
>>> 
>>> On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
 Hi Oleg,
 
 Thanks for response…I don’t know if I’m seeing this up right.
 
 Does anyone have the steps handy to have a Tomcat and HttpClient 
 communicate with each other using self signed keys?
 
 -Matt
 
>>> 
>>> Matt,
>>> 
>>> When it comes to SSL one _must_ know exactly what he or she is doing. 
>>> 
>>> Does the server use a self-signed cert (there is only one certificate in
>>> the cert chain) or does it use a cert signed by a custom CA (the cert
>>> chain consists of multiple certs)?  
>> 
>> The server has a self signed cert.
>> 
>>> 
>>> When configured to use TrustSelfSignedStrategy HttpClient will accept
>>> the former but will reject the latter unless explicitly set up to trust
>>> the custom CA. 
>>> 
>>> So, what is it you are trying to do? 
>> 
>> Good question.
>> 
>> I started out wanting to get a private internal client/server communicating 
>> with SSL, using keys generated with key tool, which I’ve done before but 
>> with much older versions of HttpClient.  That devolved into just getting 
>> anything working.
>> 
>> Basically, I generated the server key like this:
>> keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 
>> -keystore server.p12 -validity 3650 -keypass change -it storepass changeit
>> 
>> The client keystore i generated with exact same command except different 
>> alias.
>> 
>> From the client keystore I exported its cert
>> keytool -export -alias client -file client.cer -storetype PKCS12 -keystore 
>> keystore.p12
>> 
>> Then I created a trust store on the server and put in the clients cert
>> keytool -import -file ../client/client.cer -storetype PKCS12 -keystore 
>> src/main/resources/truststore.p12
>> 
> 
> Do, the server trusts the client but the client does not trust the
> server? Is that what you really want?
> 
> 
>> On the server, I specified the path to the trust store and its password.
>> 
>> With SSL debugging on, the client prints out the server’s cert, but then 
>> says:
>> 
>> %% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
>> RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT:  fatal, description = 
>> certificate_unknown
>> RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2
>> RegisterServiceImpl RUNNING, called closeSocket()
>> RegisterServiceImpl RUNNING, handling exception: 
>> javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target
>> 
>> Should I also export the server's cert to the client’s trust store?
>> 
> 
> Shall I take a blue pill or a red one? 
> 
> Do you want the client to trust the server?
> 
> Please post the complete SSL debug log (obfuscating sensitive stuff if
> necessary).
> 
> Oleg
> 
> 
> 
> -
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org 
> 
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org 
> 

Re: HTTPClient SSL self signed cert

[Oleg Kalnichevski]

On Mon, 2016-02-15 at 11:40 -0500, Matt Chambers wrote:
> > On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski  wrote:
> > 
> > On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
> >> Hi Oleg,
> >> 
> >> Thanks for response…I don’t know if I’m seeing this up right.
> >> 
> >> Does anyone have the steps handy to have a Tomcat and HttpClient 
> >> communicate with each other using self signed keys?
> >> 
> >> -Matt
> >> 
> > 
> > Matt,
> > 
> > When it comes to SSL one _must_ know exactly what he or she is doing. 
> > 
> > Does the server use a self-signed cert (there is only one certificate in
> > the cert chain) or does it use a cert signed by a custom CA (the cert
> > chain consists of multiple certs)?  
> 
> The server has a self signed cert.
> 
> > 
> > When configured to use TrustSelfSignedStrategy HttpClient will accept
> > the former but will reject the latter unless explicitly set up to trust
> > the custom CA. 
> > 
> > So, what is it you are trying to do? 
> 
> Good question.
> 
> I started out wanting to get a private internal client/server communicating 
> with SSL, using keys generated with key tool, which I’ve done before but with 
> much older versions of HttpClient.  That devolved into just getting anything 
> working.
> 
> Basically, I generated the server key like this:
> keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 
> -keystore server.p12 -validity 3650 -keypass change -it storepass changeit
> 
> The client keystore i generated with exact same command except different 
> alias.
> 
> From the client keystore I exported its cert
> keytool -export -alias client -file client.cer -storetype PKCS12 -keystore 
> keystore.p12
> 
> Then I created a trust store on the server and put in the clients cert
> keytool -import -file ../client/client.cer -storetype PKCS12 -keystore 
> src/main/resources/truststore.p12
> 

Do, the server trusts the client but the client does not trust the
server? Is that what you really want?


> On the server, I specified the path to the trust store and its password.
> 
> With SSL debugging on, the client prints out the server’s cert, but then says:
> 
> %% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
> RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT:  fatal, description = 
> certificate_unknown
> RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2
> RegisterServiceImpl RUNNING, called closeSocket()
> RegisterServiceImpl RUNNING, handling exception: 
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> 
> Should I also export the server's cert to the client’s trust store?
> 

Shall I take a blue pill or a red one? 

Do you want the client to trust the server?

Please post the complete SSL debug log (obfuscating sensitive stuff if
necessary).

Oleg



-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Re: HTTPClient SSL self signed cert

[Matt Chambers]

> On Feb 15, 2016, at 11:02 AM, Oleg Kalnichevski  wrote:
> 
> On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
>> Hi Oleg,
>> 
>> Thanks for response…I don’t know if I’m seeing this up right.
>> 
>> Does anyone have the steps handy to have a Tomcat and HttpClient communicate 
>> with each other using self signed keys?
>> 
>> -Matt
>> 
> 
> Matt,
> 
> When it comes to SSL one _must_ know exactly what he or she is doing. 
> 
> Does the server use a self-signed cert (there is only one certificate in
> the cert chain) or does it use a cert signed by a custom CA (the cert
> chain consists of multiple certs)?  

The server has a self signed cert.

> 
> When configured to use TrustSelfSignedStrategy HttpClient will accept
> the former but will reject the latter unless explicitly set up to trust
> the custom CA. 
> 
> So, what is it you are trying to do? 

Good question.

I started out wanting to get a private internal client/server communicating 
with SSL, using keys generated with key tool, which I’ve done before but with 
much older versions of HttpClient.  That devolved into just getting anything 
working.

Basically, I generated the server key like this:
keytool -genkey -alias server -storetype PKCS12 -keyalg RSA -keysize 2048 
-keystore server.p12 -validity 3650 -keypass change -it storepass changeit

The client keystore i generated with exact same command except different alias.

From the client keystore I exported its cert
keytool -export -alias client -file client.cer -storetype PKCS12 -keystore 
keystore.p12

Then I created a trust store on the server and put in the clients cert
keytool -import -file ../client/client.cer -storetype PKCS12 -keystore 
src/main/resources/truststore.p12

On the server, I specified the path to the trust store and its password.

With SSL debugging on, the client prints out the server’s cert, but then says:

%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
RegisterServiceImpl RUNNING, SEND TLSv1.2 ALERT:  fatal, description = 
certificate_unknown
RegisterServiceImpl RUNNING, WRITE: TLSv1.2 Alert, length = 2
RegisterServiceImpl RUNNING, called closeSocket()
RegisterServiceImpl RUNNING, handling exception: 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

Should I also export the server's cert to the client’s trust store?

-Matt

> 
> You might also want to run your app with SSL debugging turned and find
> out why the SSL security provider rejects server creds presented during
> the SSL session handshake.
> 
> Oleg 
> 

Re: HTTPClient SSL self signed cert

[Oleg Kalnichevski]

On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote:
> Hi Oleg,
> 
> Thanks for response…I don’t know if I’m seeing this up right.
> 
> Does anyone have the steps handy to have a Tomcat and HttpClient communicate 
> with each other using self signed keys?
> 
> -Matt
> 

Matt,

When it comes to SSL one _must_ know exactly what he or she is doing. 

Does the server use a self-signed cert (there is only one certificate in
the cert chain) or does it use a cert signed by a custom CA (the cert
chain consists of multiple certs)?  

When configured to use TrustSelfSignedStrategy HttpClient will accept
the former but will reject the latter unless explicitly set up to trust
the custom CA. 

So, what is it you are trying to do? 

You might also want to run your app with SSL debugging turned and find
out why the SSL security provider rejects server creds presented during
the SSL session handshake.

Oleg 

> > On Feb 15, 2016, at 5:47 AM, Oleg Kalnichevski  wrote:
> > 
> > On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote:
> >> I’m not sure if I’m daft or just missing something super obvious, but I’m 
> >> trying to setup HttpClient to connect to a Spring Boot server using a self 
> >> signed cert, pretty much all day.   Works fine via Chome, Python’s 
> >> ‘requests’ module, and Objective-C but no matter what I do, this exception 
> >> haunts me.
> >> 
> > 
> > Are you sure the server authenticates with a self-signed certificate (no
> > CA) and not with a certificate signed by a non-standard CA?
> > 
> > Oleg
> > 
> >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
> >> sun.security.validator.ValidatorException: PKIX path building failed: 
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> >> valid certification path to requested target
> >>at 
> >> com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9)
> >>  ~[archivist-sdk-0.17.0.jar:na]
> >>at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) 
> >> ~[archivist-sdk-0.17.0.jar:na]
> >>at 
> >> com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57)
> >>  ~[archivist-sdk-0.17.0.jar:na]
> >>at 
> >> com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45)
> >>  ~[classes/:na]
> >>at 
> >> com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174)
> >>  [guava-18.0.jar:na]
> >>at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) 
> >> [guava-18.0.jar:na]
> >>at 
> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
> >> [na:1.8.0_65]
> >>at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
> >> [na:1.8.0_65]
> >>at 
> >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> >>  [na:1.8.0_65]
> >>at 
> >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> >>  [na:1.8.0_65]
> >>at 
> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >>  [na:1.8.0_65]
> >>at 
> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >>  [na:1.8.0_65]
> >>at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
> >> Caused by: javax.net.ssl.SSLHandshakeException: 
> >> sun.security.validator.ValidatorException: PKIX path building failed: 
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> >> valid certification path to requested target
> >> 
> >> I’ve basically tried 1000 different combinations of HttpClient setup and 
> >> versions, but this is how I’m setting it up currently:
> >> 
> >> this.client = HttpClients.custom()
> >>.setConnectionManager(new PoolingHttpClientConnectionManager())
> >>.setSSLSocketFactory(new 
> >> SSLConnectionSocketFactory(SSLContexts.custom()
> >>.loadTrustMaterial(null, new TrustSelfSignedStrategy())
> >>.build()))
> >>.setSSLHostnameVerifier(new NoopHostnameVerifier())
> >>.build();
> >> 
> >> Any help would be greatly appreciated.  
> >> 
> >> -Matt
> >> 
> > 
> > 
> > 
> > -
> > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org 
> > 
> > For additional commands, e-mail: httpclient-users-h...@hc.apache.org 
> > 



-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Re: HTTPClient SSL self signed cert

[Matt Chambers]

Hi Oleg,

Thanks for response…I don’t know if I’m seeing this up right.

Does anyone have the steps handy to have a Tomcat and HttpClient communicate 
with each other using self signed keys?

-Matt

> On Feb 15, 2016, at 5:47 AM, Oleg Kalnichevski  wrote:
> 
> On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote:
>> I’m not sure if I’m daft or just missing something super obvious, but I’m 
>> trying to setup HttpClient to connect to a Spring Boot server using a self 
>> signed cert, pretty much all day.   Works fine via Chome, Python’s 
>> ‘requests’ module, and Objective-C but no matter what I do, this exception 
>> haunts me.
>> 
> 
> Are you sure the server authenticates with a self-signed certificate (no
> CA) and not with a certificate signed by a non-standard CA?
> 
> Oleg
> 
>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target
>>  at 
>> com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9)
>>  ~[archivist-sdk-0.17.0.jar:na]
>>  at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) 
>> ~[archivist-sdk-0.17.0.jar:na]
>>  at 
>> com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57)
>>  ~[archivist-sdk-0.17.0.jar:na]
>>  at 
>> com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45)
>>  ~[classes/:na]
>>  at 
>> com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174)
>>  [guava-18.0.jar:na]
>>  at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) 
>> [guava-18.0.jar:na]
>>  at 
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
>> [na:1.8.0_65]
>>  at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
>> [na:1.8.0_65]
>>  at 
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>>  [na:1.8.0_65]
>>  at 
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>>  [na:1.8.0_65]
>>  at 
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>  [na:1.8.0_65]
>>  at 
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>  [na:1.8.0_65]
>>  at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
>> Caused by: javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target
>> 
>> I’ve basically tried 1000 different combinations of HttpClient setup and 
>> versions, but this is how I’m setting it up currently:
>> 
>> this.client = HttpClients.custom()
>>.setConnectionManager(new PoolingHttpClientConnectionManager())
>>.setSSLSocketFactory(new 
>> SSLConnectionSocketFactory(SSLContexts.custom()
>>.loadTrustMaterial(null, new TrustSelfSignedStrategy())
>>.build()))
>>.setSSLHostnameVerifier(new NoopHostnameVerifier())
>>.build();
>> 
>> Any help would be greatly appreciated.  
>> 
>> -Matt
>> 
> 
> 
> 
> -
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org 
> 
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org 
> 

Re: HTTPClient SSL self signed cert

[Matt Chambers]

Hi,

Thanks for response, signature alg doesn’t seem to be md5.

 Signature Algorithm: sha256WithRSAEncryption

-Matt

> On Feb 12, 2016, at 6:04 PM, Brent Putman  wrote:
> 
> 
> 
> On 2/12/16 5:53 PM, Matt Chambers wrote:
>> I’m not sure if I’m daft or just missing something super obvious, but I’m 
>> trying to setup HttpClient to connect to a Spring Boot server using a self 
>> signed cert, pretty much all day.   Works fine via Chome, Python’s 
>> ‘requests’ module, and Objective-C but no matter what I do, this exception 
>> haunts me.
>> 
>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target
>> 
> 
> If you are using Oracle JDK:  In the most recent versions of Java,
> Oracle has by default disallowed PKIX trust of certificates signed with
> MD5 algorithms.  So check your cert's signature algorithm.  If it's
> MD5, either generate a new cert with SHA1, SHA256, etc, or change the
> property which controls this in jre/lib/security/java.security:
> 
> jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
> 
> 
> Remove MD5 from the list.

Re: HTTPClient SSL self signed cert

[Oleg Kalnichevski]

On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote:
> I’m not sure if I’m daft or just missing something super obvious, but I’m 
> trying to setup HttpClient to connect to a Spring Boot server using a self 
> signed cert, pretty much all day.   Works fine via Chome, Python’s ‘requests’ 
> module, and Objective-C but no matter what I do, this exception haunts me.
> 

Are you sure the server authenticates with a self-signed certificate (no
CA) and not with a certificate signed by a non-standard CA?

Oleg

> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
>   at 
> com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9)
>  ~[archivist-sdk-0.17.0.jar:na]
>   at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) 
> ~[archivist-sdk-0.17.0.jar:na]
>   at 
> com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57)
>  ~[archivist-sdk-0.17.0.jar:na]
>   at 
> com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45)
>  ~[classes/:na]
>   at 
> com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174)
>  [guava-18.0.jar:na]
>   at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) 
> [guava-18.0.jar:na]
>   at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
> [na:1.8.0_65]
>   at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
> [na:1.8.0_65]
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>  [na:1.8.0_65]
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>  [na:1.8.0_65]
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  [na:1.8.0_65]
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  [na:1.8.0_65]
>   at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
> Caused by: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> 
> I’ve basically tried 1000 different combinations of HttpClient setup and 
> versions, but this is how I’m setting it up currently:
> 
> this.client = HttpClients.custom()
> .setConnectionManager(new PoolingHttpClientConnectionManager())
> .setSSLSocketFactory(new 
> SSLConnectionSocketFactory(SSLContexts.custom()
> .loadTrustMaterial(null, new TrustSelfSignedStrategy())
> .build()))
> .setSSLHostnameVerifier(new NoopHostnameVerifier())
> .build();
> 
> Any help would be greatly appreciated.  
> 
> -Matt
> 



-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

HTTPClient SSL self signed cert

[Matt Chambers]

I’m not sure if I’m daft or just missing something super obvious, but I’m 
trying to setup HttpClient to connect to a Spring Boot server using a self 
signed cert, pretty much all day.   Works fine via Chome, Python’s ‘requests’ 
module, and Objective-C but no matter what I do, this exception haunts me.

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
at 
com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9)
 ~[archivist-sdk-0.17.0.jar:na]
at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) 
~[archivist-sdk-0.17.0.jar:na]
at 
com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57)
 ~[archivist-sdk-0.17.0.jar:na]
at 
com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45)
 ~[classes/:na]
at 
com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174)
 [guava-18.0.jar:na]
at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) 
[guava-18.0.jar:na]
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
[na:1.8.0_65]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
[na:1.8.0_65]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
 [na:1.8.0_65]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
 [na:1.8.0_65]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[na:1.8.0_65]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[na:1.8.0_65]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65]
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I’ve basically tried 1000 different combinations of HttpClient setup and 
versions, but this is how I’m setting it up currently:

this.client = HttpClients.custom()
.setConnectionManager(new PoolingHttpClientConnectionManager())
.setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom()
.loadTrustMaterial(null, new TrustSelfSignedStrategy())
.build()))
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();

Any help would be greatly appreciated.  

-Matt

Re: HTTPClient SSL self signed cert

[Brent Putman]

On 2/12/16 5:53 PM, Matt Chambers wrote:
> I’m not sure if I’m daft or just missing something super obvious, but I’m 
> trying to setup HttpClient to connect to a Spring Boot server using a self 
> signed cert, pretty much all day.   Works fine via Chome, Python’s ‘requests’ 
> module, and Objective-C but no matter what I do, this exception haunts me.
>
> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
>

If you are using Oracle JDK:  In the most recent versions of Java,
Oracle has by default disallowed PKIX trust of certificates signed with
MD5 algorithms.  So check your cert's signature algorithm.  If it's
MD5, either generate a new cert with SHA1, SHA256, etc, or change the
property which controls this in jre/lib/security/java.security:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


Remove MD5 from the list.