Re: Using HttpClientContext to get a server proxy's certificates

Sun, 18 Dec 2016 07:17:46 -0800 

On Sat, 2016-12-17 at 18:05 -0500, Qiang Cao wrote:
> Hi Everyone,
> 
> I'm running my client to talk to a service that is behind a proxy. The
> channel between the client and the server proxy is established through SSL.
> I wish to retain the certificates of the proxy.
> 
> Client --- SSL socket (HTTPS) ---> SSL PROXY --- Plain socket (HTTP) --->
> Server
> 
> The way I do it is to create a context for each request and grab the SSL
> session info from the context after each request is executed.
> 
> ......
> HttpClientContext clientContext = HttpClientContext.create();
> CloseableHttpResponse response = httpclient.execute(target, httppost,
> clientContext);
> ManagedHttpClientConnection conn = clientContext.getConnection(
> ManagedHttpClientConnection.class);
> 
> if(conn.isOpen()) {
>   SSLSession sslsession = conn.getSSLSession();
>    X509Certificate[] peerCertChain = sslsession.getPeerCertificateChain();
> }
> 
> The code works fine when there is no proxy and the server runs SSL. In that
> case, I'm able to get the server certificates.  However, with the SSL proxy
> in the middle, the connection (ManagedHttpClientConnection) I got from the
> context is always NOT open. With that, I sort of ran out of ideas to get
> the SSL session for the request.  Any thoughts?
> 
> Thanks in advance!
> 
> -Qiang

Hi Qiang

Connection socket factory should be a better injection point for any
custom SSL logic 

---
CloseableHttpClient client = HttpClientBuilder.create()
    .setSSLSocketFactory(new 
SSLConnectionSocketFactory(SSLContexts.createSystemDefault()) {

        @Override
        public Socket createLayeredSocket(
                final Socket socket,
                final String target,
                final int port,
                final HttpContext context) throws IOException {
            final SSLSocket layeredSocket = (SSLSocket) 
super.createLayeredSocket(socket, target, port, context);
            SSLSession sslsession = layeredSocket.getSession();
            X509Certificate[] peerCertChain = 
sslsession.getPeerCertificateChain();
            return layeredSocket;
        }
    })
    .build();
---

Hope this helps

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Reply via email to