Hi, Xiaofeng, Sorry. Commons-SSL doesn't actually implement SSL. That's left to the underlying JSSE provider. Commons-SSL sits on top of the provider and tries to make common tasks easier. I like to think of this library as a "HARD-to-EASY" adapter.
It takes something that's hard - for example, turning off certificate expiry checking requires about a hundred lines of code - and makes it easy: socketFactory.setCheckExpiry( false ); Regarding your question, looks like Sun Java 6 supports the following ciphers: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA You may have some luck with Mozilla's "JSS" library: http://www.mozilla.org/projects/security/pki/jss/ But it looks pretty daunting to me! yours, Julius http://juliusdavies.ca/ ps. here's the 100 lines (okay, more like 70 lines): String javaHome = System.getProperty( "java.home" ); String pathToCacerts = javaHome + "/lib/security/cacerts"; FileInputStream in = new FileInputStream( pathToCacerts ); KeyStore ks = KeyStore.getInstance( "jks" ); ks.load( in, null ); String alg = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance( alg ); tmf.init( ks ); TrustManager[] trustManagers = tmf.getTrustManagers(); for ( int i = 0; i < trustManagers.length; i++ ) { final X509TrustManager tm = (X509TrustManager) trustManagers[ i ]; trustManagers[ i ] = new TrustManager() { public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // we're only turning of expiry checking for server certs in this example. tm.checkClientTrusted( chain, authType ); } public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException { CertificateException ce = null; try { tm.checkServerTrusted( chain, authType ); } catch ( CertificateException e ) { ce = e; } if ( ce != null ) { Throwable root = getRootThrowable( checkException ); boolean expiryProblem = root instanceof CertificateExpiredException; if ( expiryProblem ) { // not a problem - we've turned expiry checking off! } else { throw checkException; } } } private Throwable getRootThrowable( Throwable t ) { if ( t == null ) { return t; } Throwable cause = t.getCause(); while ( cause != null && !t.equals( cause ) ) { t = cause; cause = t.getCause(); } return t; } }; } SSLContext sslContext = SSLContext.getInstance( "TLS" ); sslContext.init( null, trustManagers, null ); // Finally! A SocketFactory that doesn't check expiry of the server's cert. // (It does check everything else). (Except CRLs). ;-) SSLSocketFactory socketFactory = sslContext.getSocketFactory(); On 11/26/06, Xiaofeng Li <[EMAIL PROTECTED]> wrote:
Does this SSL supports the cipher 'TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA'? Thanks -----Original Message----- From: Julius Davies [mailto:[EMAIL PROTECTED] Sent: Saturday, November 25, 2006 7:13 PM To: [email protected]; HttpClient User Discussion Subject: commons-ssl-0.3.4 released Hi, I've just released commons-ssl-0.3.4. http://juliusdavies.ca/commons-ssl/ Three changes since 0.3.3: #1. ================================== ssl.setCheckExpiry( false ) now works! ssl.setCheckExpiry( true ) now has an effect with Java 1.3. (Java 1.4, 5, 6 all properly checked certificate expiry anyway, but it looks like 1.3 forgot to.) #2. ================================== The "CRL pass/fail SHA1 fingerprint cache" only discards the certificates which PASSED the check every 24 hours now. Certificates which failed the check will keep their 20 byte SHA1 fingerprint in the cache forever (or until the next JVM restart). #3. ================================== Looks like TrustMaterial.TRUST_ALL stopped working recently on Java 5 and 6. Fixed. Aside from these three code changes, I also updated the documentation. The "downloads" page includes a "Roadmap". The "main" page thanks Oleg for his original AuthSSLProtocolSocketFactory.java on which this is all based. -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
