> The results of this testing has put me into a state of confusion > regarding what httpclient's relationship is to the Java keystore. <snip> > Can someone clarify how HttpClient > works with respect to SSL, CA certs, server certs, and keystores?
Brad, There's no _direct_ relationship between HttpClient and the Java keystore (or any SSL stuff in general). HttpClient fully relies on JSSE providers to take care of all SSL related operations. For more details refer to the HttpClient SSL guide: http://jakarta.apache.org/commons/httpclient/sslguide.html Hope this helps Oleg -----Original Message----- From: Brad O'Hearne [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 16:14 To: HttpClient - Apache Commons Subject: HttpClient, SSL, and keystores Hey all, I am experiencing very strange behavior using HttpClient over SSL, and I wondered if someone could enlighten me as to how it works. Basically, I have a small app that uses HttpClient to contact a web server over https. What the app does is unimportant, but I have been playing around with SSL and keystore / certs, and am fairly confused. Here is what I've discovered: On windows clients, running J2SDK 1.4.2_03: 1. Without specifying anything about the keystore at all, and without importing any certs into the default keystore, the app can talk over SSL without a problem. 2. Override the default keystore, (-Djavax.net.ssl.keyStore=<keystore_file>) and the app works, provided that the keystore file exists. However, the keystore can be completely empty and still work, and after running the app, the keystore is still completely empty -- no entries. 3. Override the default keystore, (-Djavax.net.ssl.keyStore=<keystore_file>) and the app will fail if the keystore file does not exist. That seems really strange in the wake of the behavior in 2, seeing that the keystore is apparently unused. On windows clients, running J2SDK 1.4.1.x 1. SSL doesn't work. I have a suspicion that this is due to the Verisign Class 2 and 3 CA certs expiring on jan 7, 2004. On Mac OS X, running apple's VM 1.4.1.x 1. SSL doesn't work. I manually installed the new Verisign certs mentioned earlier, but SSL still didn't work. So I then manually imported the server cert for the site in question, and added this line (-Djavax.net.ssl.trustStore=<keystore_file>) where the keystore file was the keystore containing the server cert. This worked. ??? The results of this testing has put me into a state of confusion regarding what httpclient's relationship is to the Java keystore. It appears not to need the keystore at all in my windows tests, but on the mac, it appears to depend on it. Can someone clarify how HttpClient works with respect to SSL, CA certs, server certs, and keystores? Thanks so much --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
