Hi, Like I said, the "contrib" code in HttpClient is there to inspire you, and isn't really meant to be production quality (although it is quite good!).
So I was inspired, and wrote Not-Yet-Commons-SSL. I hope to one day (hopefully very soon!!!!) finally take the time to properly document things and get the incubator ball rolling.... For now though the Not-Yet-Commons-SSL code has nothing at all to do with Apache. It's just an inspired refactoring of the original HttpClient "contrib" code, with a few bells and whistles thrown in. Pros of using Not-Yet-Commons-SSL for what you're doing: -------------------------------------------------- - Pre-packaged jar file easy to just download and use. - Not-Yet-Commons-SSL has better hostname verification compared to HttpClient-3.x's "Strict" implementation. E.g. wildcards work fine (CN=*.domain.com) in Not-Yet-Commons-SSL, but not in HttpClient-3.x's "Strict" contrib example. (Note: HttpClient 4.x will properly implement hostname verification). Cons -------------------------------------------------- - You're downloading some random jar file off the web (and using insecure "http" to download it!) that then becomes a critical central piece of your java application's security. - There is a lot of code in this jar file. So if you are truly concerned about security, and don't have time to audit the code and compile it from source, you're probably better off auditing/compiling the much smaller "contrib" code from HttpClient. Good luck! yours, Julius ps. in not-yet-common-ssl, it looks like this: StrictSSLProtocolSocketFactory extends org.apache.commons.ssl.HttpSecureProtocol implements SecureProtocolSocketFactory (You forgot to take a look at what HttpSecureProtocol itself implements!) On 8/10/07, nitya vyas <[EMAIL PROTECTED]> wrote: > thanks... > > I found something else also.. > the jar from below link has.. (http://juliusdavies.ca/commons > > > > -ssl/download.html) > > > > public class StrictSSLProtocolSocketFactory extends > org.apache.commons.ssl.HttpSecureProtocol > > while in the source code of Apache commons-httpclient jar i saw > public class StrictSSLProtocolSocketFactory > implements SecureProtocolSocketFactory > > wat is the difference between the two?? is there any pros or cons for this > and why??? > > cheers. > > On 8/10/07, Julius Davies <[EMAIL PROTECTED]> wrote: > > > > Apache doesn't package that code. It's only in CVS as example code to > > inspire you. :-) > > > > If you're brave, you can try the jar file I packaged. No affiliation > > with Apache, though, but there is an implementation of > > StrictSSLProtoclSocketFactory that should do the job. > > > > http://juliusdavies.ca/commons-ssl/download.html > > > > yours, > > > > Julius > > > > On 8/8/07, nitya vyas <[EMAIL PROTECTED]> wrote: > > > Hi, > > > I m using StrictSSLProtocolSocketFactory class to implement SSL in > > > HTTPClient. But i m not able to find the jar for the same. It is > > available > > > in the sourcecode on the Apache web repository but not the jar file. > > > > > > Can u tell me from where can I find this jar so that changes can be > > > tracked??? > > > > > > -- yours, Julius Davies 604-251-3219 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
