Hello Nitya,
> in the implementation they say that you need to write this...
>
> Protocol stricthttps = new Protocol( "https", new
> StrictSSLProtocolSocketFactory(true), 443);
> HttpClient client = new HttpClient();
> client.getHostConfiguration().setHost("hostname", 443, stricthttps);
>
> Now this Factory implementation stops the man in the middle attack... by
> verifying the hostName... TRUE passed in its constructor..
>
> But doesnt it mean that it should also call this classes' createSocket()
> method??? because that method has the method verifyHostName() which should
> be called so that hostname is verified???
When SSL connections are tunnelled through a proxy, there is
first a plain HTTP connection to the proxy. That's what you've
made to work now. Subsequently, a tunnel to the target is
established, and the SSL connection with protocol "https"
is layered on top of that. You don't have to verify a hostname
for the connection to the proxy.
>
> By implementing the above code I see that the createSocket() method of
> StrictSSLProtocolSocketFactory class doesnt get called.. why is that??? or i
> m missing something here????
Have a look at HttpConnection.tunnelCreated, that's where
the SSL connection is layered on top of the tunnel.
If you have specific SSL questions, you should also consider
posting them to the nyc-ssl mailing list:
http://www.juliusdavies.ca/commons-ssl/
hope that helps,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
