On Tue, 2007-09-04 at 20:00 +0530, Mukesh Garg wrote: > Hi Oleg, > > I also have the same requirement which Jeff had. I used > > http://svn.apache.org/viewvc/jakarta/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup > > To trust any certificate presented by the server. I used it as it is given in > the example. > But I am still getting the exception > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) > > Could you point, what I might be missing ? >
Mukesh, EasyX509TrustManager trusts any _self-signed_ certificate (there is only a single certificate in the certificate chain) but in all other cases it delegates the job of certificate verification to the default trust manager. So, if you are trying to connection to a server that authenticates with a certificate signed by an untrusted CA the default trust manager will reject the certificate. Either change the EasyX509TrustManager to dumbly trust any certificate or invest some time into properly configuring the SSL context for your application. Hope this helps Oleg > But I am still getting > Oleg Kalnichevski wrote: > > On Thu, 2007-08-02 at 18:58 +1000, William Rose wrote: > > > >> Hi Jeff, > >> > >> As far as I understand it, at least a server certificate is required for > >> SSL. The server certificate doesn't have to be issued by a known > >> authority (e.g. you can use a certificate you create, signed by itself), > >> but it has to be there. > >> > >> This is required as the certificate gives the client the server's public > >> key, and normally then the client gets to work out whether they trust > >> the certificate based on who signed it and whether they are trusted. > >> Once they work out they trust the cert (and therefore the public key), > >> they can use it to communicate securely with the server using public-key > >> cryptography. This secure channel is used only to establish a shared > >> symmetric cipher key, and then the connection uses the faster symmetric > >> encryption to run the rest of the connection. > >> > >> So to my knowledge, you can't cut out the certificate from the > >> protocol. It's an essential step. You can make it easier to work with > >> by not requiring a valid certificate, or, more commonly, setting up a > >> certificate authority of your own (not that hard with keytool) and > >> adding that certificate to your Java Runtime's cacerts file. This means > >> the minimum amount of code changes. If you don't want to fiddle with > >> files in the JRE/JDK, the alternative is writing custom trust validation > >> classes that will accept your own certificates. > >> > >> cheers, > >> > >> Will > >> > >> > > > > In the extreme case one can simply choose to trust any public > > certificate regardless of their origin, authenticity and validity. This > > can be accomplished by implementing a custom TrustManager that dumbly > > trusts anything > > > > EasyX509TrustManager could be used as a starting point: > > > > http://svn.apache.org/viewvc/jakarta/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java?view=markup > > > > Oleg > > > > > >> Jeff Garrett wrote: > >> > >>> Hi. > >>> I have looked over most of the mail archives and found a couple of posts > >>> that are kind of what I want to do, but were not quite in-line with my > >>> project or did not do what I needed. So, I need some help with something. > >>> > >>> I want to send an HTTPS Post message using SSL so that it is encrypted. I > >>> am currently using HttpClient 3.0.1 and that has worked like a charm for > >>> sending HTTP Post messages without encryption. But, now I need to do be > >>> able to send encrypted messages too. So, now I send to https://host:1001, > >>> whereas before I was sending to http://host:1000, for example. > >>> > >>> The catch is, and this should make it easier, that I do NOT need to, nor > >>> want to, use certificates for authentication. I don't care who the > >>> receiver > >>> of the message is - all I want is to send an encrypted message to a host > >>> and > >>> port number I have stored. I know this is not the most secure setup, but > >>> in > >>> this scenario this is the only requirement - clients subscribe and are > >>> stored, and I send an encrypted message to each client and move onto the > >>> next task. Its an asynchronus event that rarely happens. > >>> > >>> As I said, this should be easier than having to deal with certificates. > >>> However, almost every online reference I found has certificates included > >>> and > >>> I was unable to find a way to modify the examples and get them to work w/o > >>> certificates. I am not finding the right info, or not using the proper > >>> info. The SSL guide was helpful, but all of the implemented > >>> classes resulted in some form of exception. > >>> > >>> This can be done right? Can someone please provide some information for > >>> how > >>> to go about doing this? > >>> > >>> I apologize if this is available somewhere - I have yet to see it. > >>> Jeff G. > >>> > >>> > >>> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
