Patrick, I think it should be relatively easy to test whether the issue is in fact caused by HttpClient. Just use your socket factory to instantiate a socket and try executing a simple HTTP GET request using raw i/o streams. If you succeed in getting that work, it would clearly indicate a problem with HttpClient. However, if the opposite is the case, you should be looking for a problem in your SSL setup
Oleg -----Original Message----- From: Patrick Cardinal [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 07:44 To: Commons HttpClient Project Subject: Re: Re: Help on client authentication Sorry for the delay. Typically in an SSL transaction the client wants to authenticate the server (validating server certificates). However in the case of mutual client authentication the server also authenticates the client (using client certificates) in addition to the client authenticating the server . Checkout http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html and http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/samples/sockets/client/SSLSocketClientWithClientAuth.java for more info on this. My problem relates to a SocketException when I run a custom ssl socket factory with client authentication. In a previous release of http client, the HttpClient class had a setSSLSocketFactory method. So we used to be able to create a custom SSLSocketFactory that supported client Authentication and set it to be used with an instance HttpClient class. Something like-> HttpClient hc = new HttpClient(); try { SSLContext ctx; KeyManagerFactory kmf; KeyStore ks; char[] passphrase = "passphrase".toCharArray(); ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("testkeystore"), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); SSLSocketFactory factory = ctx.getSocketFactory(); hc.setSSLSocketFactory(factory); } catch (Exception e) { throw new IOException(e.getMessage()); } Then use get and PostMethod... In HttpClient 2.0 beta1, I tried to create a CustomSocketFactory on similar lines to EasySSLProtocolSocketFactory example provided at http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/ Something like.. class MyFactory implements SecureProtocolSocketFactory { private javax.net.ssl.SSLSocketFactory factory; MyFactory() { mFactory = getFactoryWithClientAuth(); } private static SSLSocketFactory getFactoryWithClientAuth() { .......//same way as in Jsse example } public Socket createSocket(Socket socket,String host, int port, boolean autoClose) throws IOException,UnknownHostException { return mFactory.createSocket( socket, host, port, autoClose); } // implement the rest of createSocket Methods similarly as above ..... } I then used to post stuff. " PostMethod post = new PostMethod(postServerUrl); post.setRequestBody("Test http client"); post.setRequestHeader("Content-type", "text/plain"); Protocol strictHttps = new Protocol( "https", new MyFactory(), 443); HttpClient client = new HttpClient(); HostConfiguration hostc = new HostConfiguration(); hostc.setHost("ServerUrl",443,strictHttps); client.executeMethod(hostc,post); " When I ran the second example against 2.0 Beta1, the protocol interactions in the out seem to be correct, I saw all the SSL handshake stuff work correctly... *** ClientHello, v3.1 *** ServerHello, v3.1 *** Certificate chain *** CertificateRequest *** ServerHelloDone *** ClientKeyExchange *** CertificateVerify *** Finished, v3.1 except just after the last stage when its about to the actual post I get *** Finished, v3.1 verify_data: { 98, 86, 46, 20, 159, 191, 251, 102, 9, 201, 95, 201 } *** [write] MD5 and SHA1 hashes: len = 16 0000: 14 00 00 0C 62 56 2E 14 9F BF FB 66 09 C9 5F C9 ....bV.....f.._. Plaintext before ENCRYPTION: len = 32 0000: 14 00 00 0C 62 56 2E 14 9F BF FB 66 09 C9 5F C9 ....bV.....f.._. 0010: A2 FE 98 4F 4D E1 1B AD 0D 74 DD 5A 44 54 E9 3D ...OM....t.ZDT.= main, WRITE: SSL v3.1 Handshake, length = 32 2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter HttpConnection.close() 2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter HttpConnection.closeSockedAndStreams() main, SEND SSL v3.1 ALERT: warning, description = close_notify Plaintext before ENCRYPTION: len = 18 0000: 01 00 AB 04 44 A2 B3 5D A4 89 16 62 F8 11 47 D6 ....D..]...b..G. 0010: A6 E4 .. main, WRITE: SSL v3.1 Alert, length = 18 2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter HttpConnection.close() 2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter HttpConnection.closeSockedAndStreams() java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:116) at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1347) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127) at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:782) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2173) at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2528) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1065) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:526) at PostXML1.main(PostXML1.java:130) Exception in thread "main" This exception occurs only when I wanna do ssl transactions with client authentication. Has any one else encountered this problem? Just FYI, this didnot happen in the previous release of httpclient.. Any suggestions will be greatly appreciated.. Patrick On Thu, 29 May 2003 Michael Becke wrote : >Hello Patrick, > >What exactly do you mean by "SSL with mutual client >authentication"? Could you provide a simple example of what you >are trying and what specifically does not work. A stack trace >and logs would be helpful. > >http://jakarta.apache.org/commons/httpclient/logging.html > >Mike > >Patrick Cardinal wrote: >>I use httpclient to do SSL. We have been having problems using >>the 2.0 beta-1 (even alpha3 ) release of httpclient to do SSL >>with mutual client authentication using Keystores and JSSE. This >>used to work in a previous release of http client. I need to >>upgrade to 2.0 version for a bug fix. >> >>Does anyone know if SSL with mutual client authentication has >>ever been tested with http client?.. >> >>Can anyone provide me with sample code to do client >>authentication using httpclient in 2.0? >> >>Any help will be appreciated on this count... >> >>Patrick >>___________________________________________________ >>Get email that means BUSINESS! me @ mycompany.com. >>Just Rs.1499/year. >>To start, click http://www.rediffmailpro.com >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: >>[EMAIL PROTECTED] >>For additional commands, e-mail: >>[EMAIL PROTECTED] >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: >[EMAIL PROTECTED] >For additional commands, e-mail: >[EMAIL PROTECTED] > ___________________________________________________ Get email that means BUSINESS! me @ mycompany.com. Just Rs.1499/year. To start, click http://www.rediffmailpro.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
