> The results of this testing has put me into a state of confusion
> regarding what httpclient's relationship is to the Java keystore.
> Can someone clarify how HttpClient
> works with respect to SSL, CA certs, server certs, and keystores?
Brad,
There's no _direct_ relationship between HttpClient and the Java keystore (or any SSL
stuff in general). HttpClient fully relies on JSSE providers to take care of all SSL
related operations.
For more details refer to the HttpClient SSL guide:
http://jakarta.apache.org/commons/httpclient/sslguide.html
Hope this helps
Oleg
-Original Message-
From: Brad O'Hearne [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 28, 2004 16:14
To: HttpClient - Apache Commons
Subject: HttpClient, SSL, and keystores
Hey all,
I am experiencing very strange behavior using HttpClient over SSL, and
I wondered if someone could enlighten me as to how it works.
Basically, I have a small app that uses HttpClient to contact a web
server over https. What the app does is unimportant, but I have been
playing around with SSL and keystore / certs, and am fairly confused.
Here is what I've discovered:
On windows clients, running J2SDK 1.4.2_03:
1. Without specifying anything about the keystore at all, and without
importing any certs into the default keystore, the app can talk over
SSL without a problem.
2. Override the default keystore,
(-Djavax.net.ssl.keyStore=) and the app works, provided
that the keystore file exists. However, the keystore can be completely
empty and still work, and after running the app, the keystore is still
completely empty -- no entries.
3. Override the default keystore,
(-Djavax.net.ssl.keyStore=) and the app will fail if the
keystore file does not exist. That seems really strange in the wake of
the behavior in 2, seeing that the keystore is apparently unused.
On windows clients, running J2SDK 1.4.1.x
1. SSL doesn't work. I have a suspicion that this is due to the
Verisign Class 2 and 3 CA certs expiring on jan 7, 2004.
On Mac OS X, running apple's VM 1.4.1.x
1. SSL doesn't work. I manually installed the new Verisign certs
mentioned earlier, but SSL still didn't work. So I then manually
imported the server cert for the site in question, and added this line
(-Djavax.net.ssl.trustStore=) where the keystore file
was the keystore containing the server cert. This worked. ???
The results of this testing has put me into a state of confusion
regarding what httpclient's relationship is to the Java keystore. It
appears not to need the keystore at all in my windows tests, but on the
mac, it appears to depend on it. Can someone clarify how HttpClient
works with respect to SSL, CA certs, server certs, and keystores?
Thanks so much
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]