Re: CloseableHttpClient and custom verification of SSL session
Hello, I guess it depends on the definition of "verifying session", for example I was using the TrustStrategy to do (additional) certificate public key info pinning: pinnedCertTrust = new PinnedCertTrust("...="); // this context falls back to system trust material (but first checks pinning) SSLContext sslcontext = SSLContexts.custom().useProtocol("TLSv1.2") .loadTrustMateria(pinnedCertTrust).build(); // Allow TLSv1.2 protocol only SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); builder.setSSLSocketFactory(sslsf); If the pin fails it throws a CertificateException, when it suceeds it returns false (which falls back to doing all normal trust checks in addition to the pinning). Gruss Bernd Am Mon, 22 Aug 2016 17:09:34 +0200 schrieb Oleg Kalnichevski : > On August 22, 2016 2:50:35 PM GMT+02:00, Sachin Nikumbh > wrote: > >Hi Oleg, > > > >Thanks for your response. I had thought of using custom > >HostnameVerifier. However, it only gets called if the default > >hostname verification fails and that won’t work for me. We need to > >do the custom verification for the server certificate when the > >default hostname verification is successful as well. > > > >We have an existing code that uses CloseableHttpAsyncClient. We have > >solved our problem by using a custom SSLIOSessionStrategy, > >RegistryBuilder and PoolingNHttpClientConnectionManager. Is there any > >way to use similar technique with the CloseableHttpClient? > > > >Thanks > >Sachin > > > > ConnectionSocketFactory in the classic HttpClient module will give > you full control over the process of socket initialization. See the > stock SSL implementation for details and use it as a starting point. > > Oleg > - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: CloseableHttpClient and custom verification of SSL session
On August 22, 2016 2:50:35 PM GMT+02:00, Sachin Nikumbh wrote: >Hi Oleg, > >Thanks for your response. I had thought of using custom >HostnameVerifier. However, it only gets called if the default hostname >verification fails and that won’t work for me. We need to do the custom >verification for the server certificate when the default hostname >verification is successful as well. > >We have an existing code that uses CloseableHttpAsyncClient. We have >solved our problem by using a custom SSLIOSessionStrategy, >RegistryBuilder and PoolingNHttpClientConnectionManager. Is there any >way to use similar technique with the CloseableHttpClient? > >Thanks >Sachin > ConnectionSocketFactory in the classic HttpClient module will give you full control over the process of socket initialization. See the stock SSL implementation for details and use it as a starting point. Oleg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: CloseableHttpClient and custom verification of SSL session
Hi Oleg, Thanks for your response. I had thought of using custom HostnameVerifier. However, it only gets called if the default hostname verification fails and that won’t work for me. We need to do the custom verification for the server certificate when the default hostname verification is successful as well. We have an existing code that uses CloseableHttpAsyncClient. We have solved our problem by using a custom SSLIOSessionStrategy, RegistryBuilder and PoolingNHttpClientConnectionManager. Is there any way to use similar technique with the CloseableHttpClient? Thanks Sachin -Original Message- From: Oleg Kalnichevski [mailto:ol...@apache.org] Sent: Monday, August 22, 2016 5:53 AM To: HttpClient User Discussion Subject: Re: CloseableHttpClient and custom verification of SSL session On August 21, 2016 10:50:47 PM GMT+02:00, Sachin Nikumbh wrote: >Hi all, > >I am using CloseableHttpClient to support HTTPS. I need to do some >client side verification after receiving the server certificate. This >needs to happen immediately after the SSL handshake and before the >actual data is exchanged. Can someone please direct me in the right >direction? > >Thanks >Sachin Custom HostnameVerifier would be the most convenient plugin point. Oleg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: CloseableHttpClient and custom verification of SSL session
On August 21, 2016 10:50:47 PM GMT+02:00, Sachin Nikumbh wrote: >Hi all, > >I am using CloseableHttpClient to support HTTPS. I need to do some >client >side verification after receiving the server certificate. This needs to >happen immediately after the SSL handshake and before the actual data >is >exchanged. Can someone please direct me in the right direction? > >Thanks >Sachin Custom HostnameVerifier would be the most convenient plugin point. Oleg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org