On Fri, 2017-02-17 at 12:56 -0800, Gary Gregory wrote:
> Hi All,
>
> I cannot seem to get org.apache.http.conn.ssl.TrustSelfSignedStrategy
> to
> work with an SSL connection.
>
> I am creating the HttpClient (4.5.3, the latest) like so:
>
> final PoolingHttpClientConnectionManager cm = new
> PoolingHttpClientConnectionManager();
> httpClient =
> HttpClientFactory.createHttpClientBuilder(trustStrategy,
> hostnameVerifier,
> getTimeoutMillis())
> .setConnectionManager(cm)
Gary,
Your code sets an instance of PoolingHttpClientConnectionManager which
overrides all other connection level parameters including SSLContext
and HostnameVerifier. Either pass SSLContext and HostnameVerifier as
parameters to the connection manager or let HttpClientBuilder create an
instance of PoolingHttpClientConnectionManager for you.
Oleg
> .build();
>
> Where HttpClientFactory is as below and trustStrategy=a new
> org.apache.http.conn.ssl.TrustSelfSignedStrategy,
> hostnameVerifier=null,
> getTimeoutMillis()=210,000:
>
> public class HttpClientFactory {
>
> public static CloseableHttpClient createHttpClient(final
> TrustStrategy
> trustStrategy, final HostnameVerifier hostnameVerifier, final int
> timeoutMillis)
> throws NoSuchAlgorithmException, KeyManagementException,
> KeyStoreException {
> return createHttpClientBuilder(trustStrategy,
> hostnameVerifier,
> timeoutMillis).build();
> }
>
> public static HttpClientBuilder createHttpClientBuilder(final
> TrustStrategy trustStrategy, final HostnameVerifier hostnameVerifier,
> final
> int timeoutMillis)
> throws NoSuchAlgorithmException, KeyManagementException,
> KeyStoreException {
> final SSLContext sslContext = trustStrategy == null ? null :
> SSLContextBuilder.create().loadTrustMaterial(trustStrategy).build();
> final SocketConfig socketConfig = timeoutMillis < 0 ? null :
> SocketConfig.custom().setSoTimeout(timeoutMillis).build();
> final HttpClientBuilder builder = HttpClients.custom();
> if (sslContext != null) {
> builder.setSSLContext(sslContext);
> }
> if (hostnameVerifier != null) {
> builder.setSSLHostnameVerifier(hostnameVerifier);
> }
> if (socketConfig != null) {
> builder.setDefaultSocketConfig(socketConfig);
> }
> return builder;
> }
>
> }
>
> I also tried hostnameVerifier=NoopHostnameVerifier.INSTANCE just for
> grins
> but that makes no difference, the failure is the same. If I had a
> breakpoint in TrustSelfSignedStrategy#isTrusted(), it never gets hit.
>
> The error:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1446)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
> a:209)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
> java:1332)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359
> )
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343
> )
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSock
> et(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSL
> ConnectionSocketFactory.java:355)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect
> (DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(
> PoolingHttpClientConnectionManager.java:359)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClie
> ntExec.java:381)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.
> java:237)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java
> :185)
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java
> :111)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttp
> Client.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttp
> Client.java:83)
> at
> com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc
> gHttpConnection.java:165)
> at
> com.seagullsw.appinterface.comm.cics.ScgHttpConnection.sendRequest(Sc
> gHttpConnection.java:177)
> at
> com.seagullsw.appinterface.server.backend.cics.ScgByteBufferExecutor.
> execute(ScgByteBufferExecutor.java:121)
> at
> com.seagullsw.appinterface.server.backend.cics.CicsBackEnd.handleRequ
> estImpl(CicsBackEnd.java:232)
> at
> com.seagullsw.appinterface.server.backend.BasicBackEnd.handleRequest(
> BasicBackEnd.java:325)
> at
> com.seagullsw.appinterface.server.BasicInvocation.backEndDispatch(Bas
> icInvocation.java:372)
> at
> com.seagullsw.appinterface.server.BasicInvocation.invokeInner(BasicIn
> vocation.java:1146)
> at
> com.seagullsw.appinterface.server.BasicInvocation.invokeWithChecks(Ba
> sicInvocation.java:1191)
> at
> com.seagullsw.appinterface.server.BasicInvocation.invoke(BasicInvocat
> ion.java:1106)
> at
> com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte
> rfaceServer.java:722)
> at
> com.seagullsw.appinterface.server.AppInterfaceServer.dispatch(AppInte
> rfaceServer.java:710)
> at
> com.seagullsw.appinterface.server.AisHelper.assertXmlRequest(AisHelpe
> r.java:59)
> at
> com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest
> Case.callMirrorCommArea(AbstractScgBackEndTestCase.java:409)
> at
> com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndTest
> Case.callMirrorCicsWriteQLimitCommArea(AbstractScgBackEndTestCase.jav
> a:379)
> at
> com.seagullsw.appinterface.server.backend.cics.AbstractScgBackEndStre
> ssTestCase.testMirrorCicsWriteQLimitCommAreaConsecutiveRequests10(Abs
> tractScgBackEndStressTestCase.java:1896)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(Framework
> Method.java:50)
> at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCal
> lable.java:12)
> at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMe
> thod.java:47)
> at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMet
> hod.java:17)
> at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
> at
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
> at org.junit.rules.RunRules.evaluate(RunRules.java:20)
> at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
> at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun
> ner.java:78)
> at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRun
> ner.java:57)
> at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
> at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
> at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
> at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
> at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
> at
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.
> java:26)
> at
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.ja
> va:27)
> at
> org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:48)
> at org.junit.rules.RunRules.evaluate(RunRules.java:20)
> at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
> at
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4
> TestReference.java:86)
> at
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution
> .java:38)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot
> eTestRunner.java:459)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(Remot
> eTestRunner.java:678)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTest
> Runner.java:382)
> at
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTes
> tRunner.java:192)
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
> a:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
> ava:326)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
> pl.java:231)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
> agerImpl.java:126)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1428)
> ... 63 more
> Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
> PathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 69 more
>
> Thoughts?
>
> Thank you,
> Gary
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
