On Thu, 2007-11-29 at 16:40 -0800, Raul Acevedo wrote: > Hi Julius, thanks for your suggestion. I'm a little hesitant to add a > library from a non-Apache source.
(1) There is enough bad code in the Apache code repository. (2) There are plans to bring nyc-ssl over to Apache Oleg > Do you know why my original example > would give an error, or what essentially your code does that is > different that allows it to work? > > Thanks, > > Raul > > On Thu, 2007-11-29 at 11:29 -0800, Julius Davies wrote: > > Hi, Raul, > > > > I use this technique: > > > > http://www.juliusdavies.ca/commons-ssl/TrustExample.java.html > > > > > > But I usually change the name of the scheme to something like > > "https-foo://", so that only "https-foo://" uses the client cert, and > > "https://"; continues to behave as before. So maybe more like this: > > > > > > HttpSecureProtocol f = new HttpSecureProtocol(); > > > > // might as well trust the usual suspects: > > f.addTrustMaterial(TrustMaterial.CACERTS); > > > > // add client cert > > char[] pwd = {'p','w','d'}; > > f.setKeyMaterial(new KeyMaterial("/path/to/file.jks", pwd); > > > > Protocol clientHttps = new Protocol("https-foo", f, 443); > > Protocol.registerProtocol("https-foo", clientHttps); > > > > HttpClient client = new HttpClient(); > > GetMethod httpget = new GetMethod("https-foo://www.server.com/"); > > client.executeMethod(httpget); > > > > > > NOTE: This assumes not-yet-commons-ssl.jar is on your classpath, and > > that you're using that instead of compiling the httpclient "contrib" > > code on your own. Not-Yet-Commons-SSL already has these in its jar > > file: > > > > AuthSSLProtocolSocketFactory > > EasySSLProtocolSocketFactory > > StrictSSLProtocolSocketFactory > > > > > > Good luck! It's been working well for me for years. > > > > yours, > > > > Julius > > > > > > On Nov 29, 2007 9:47 AM, Raul Acevedo <[EMAIL PROTECTED]> wrote: > > > I don't want to omit keystore and truststore; I'm doing bidirectional > > > (client and server) SSL authentication, that's the whole point. > > > > > > Do you know why I get the SocketException? In general, has anyone > > > successfully done both client and server SSL authentication with > > > HttpClient without using the javax.net.ssl.keyStore and trustStore > > > properties? > > > > > > Raul > > > > > > > > > On Nov 29, 2007, at 3:19 AM, Oleg Kalnichevski wrote: > > > > > > > > > > > On Wed, 2007-11-28 at 20:08 -0800, Raul Acevedo wrote: > > > >> Is there a way to do client authentication with HttpClient without > > > >> setting javax.net.ssl.keyStore? > > > >> > > > >> I tried the following code after building the contrib files: > > > >> > > > >> HttpClient httpClient = new HttpClient(); > > > >> URL keyStoreURL = new URL("file:/home/raul/keyStore.jks"); > > > >> URL trustStoreURL = new URL("file:/home/raul/trustStore.jks"); > > > >> AuthSSLProtocolSocketFactory socketFactory = > > > >> new AuthSSLProtocolSocketFactory( > > > >> keyStoreURL, "keyStorePassword", trustStoreURL, > > > >> "trustStorePassword"); > > > >> Protocol httpsProtocol = new Protocol(url.getProtocol(), > > > >> socketFactory, url.getPort()); > > > >> httpClient.getHostConfiguration().setHost(url.getHost(), > > > >> url.getPort(), httpsProtocol); > > > >> > > > >> But this fails with: > > > >> > > > >> java.net.SocketException: Default SSL context init failed: null > > > >> > > > >> Thanks, > > > >> > > > >> Raul Acevedo > > > >> http://www.cantara.com > > > >> > > > > > > > > Paul, > > > > > > > > (1) Keystore is optional. You can safely omit it. > > > > (2) Implement a custom trust manager that trusts anything. This way > > > > you > > > > will not need a truststore. > > > > (3) Implement your own protocol socket factory that initializes the > > > > SSL > > > > context with your own trust-anything trust manager. You can use > > > > EasySSLProtocolSocketFactory as a starting point. > > > > > > > > Hope this helps, > > > > > > > > Oleg > > > > > > > >> > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
