Mohan, On Sat, Nov 4, 2017 at 6:01 AM, Mohan Radhakrishnan <[email protected]> wrote: > Hi, > >
Let me start by mentioning that Http Client does not implement its own cyrpto algorithms or SSL/TLS protocols. It relies on the underlying Java JSSE implementation to create secure sockets. And unless you have plugged in an alternate JSSE provider, you are using the JSSE implementation packaged with your JRE. Having said that, Http Client does allow some customization to the secure socket creation process using SSLConnectionSocketFactory [1]. This allows you to use an alternate trust store, host name verifier, etc.. The latter being especially valuable during development/testing, but should not be used in production IMO. To see how you can customize the SSL socket creation, please read the 'Connection management' chapter in the Http Client tutorial [2]. > I am invoking a HTTPS SOAP service and this is what I think is > happening. It is one-way SSL. The JSSE implementation automagically adds it > to the client's truststore and ensures that the SOAP call is successful. I am not sure that is accurate. If the server you are targeting uses a certificate signed by one of the trusted CAs (or a CA signed by a trusted CA) in your trust store, the secure socket will be established. The client does not alter the trust store automagically, unless you have done it yourself, or are using a custom trust store (other than say the cacerts that ships with Oracle JRE). > > This question is based on this assumption. > When I read > https://www.ssl.com/guide/ssl-best-practices-a-quick-and-dirty-guide/ there > are various SSL exceptions and checks that > are required. I code the client. How do I trap the various exceptions ? > Which list of exceptions should I use for SSL ? I am not sure I understand the question, but if you need to catch all exceptions, see the JSSE Reference Guide [3] on exceptions that can come from the SSL context. I guess the most important one will be javax.net.ssl.SSLException and its sub-classes. As far as I can tell, HC adds org.apache.http.conn.ssl.SSLInitializationException and of course most connect methods can throw IOException. > > How do I know the the HttpClient uses the latest security patches in my JDK > 8 ? It should automatically be secure. Right ? As I noted above, HC is using the configured or default JSSE implementation in your JRE. If that is patched, you will be as secure as that. > > Thanks, > Mohan Regards, Bindul [1] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/SSLConnectionSocketFactory.html [2] http://hc.apache.org/httpcomponents-client-ga/tutorial/html/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
