Re: CloseableHttpClient and custom verification of SSL session

2016-08-22 Thread Bernd Eckenfels 
Hello,

I guess it depends on the definition of "verifying session", for
example I was using the TrustStrategy to do (additional) certificate
public key info pinning:

  pinnedCertTrust = new PinnedCertTrust("...=");
  // this context falls back to system trust material (but first checks pinning)
  SSLContext sslcontext = SSLContexts.custom().useProtocol("TLSv1.2")
  
.loadTrustMateria(pinnedCertTrust).build();
  // Allow TLSv1.2 protocol only
  SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
   new String[] { "TLSv1.2" },
   null,
   
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
  builder.setSSLSocketFactory(sslsf);

If the pin fails it throws a CertificateException, when it suceeds it
returns false (which falls back to doing all normal trust checks in
addition to the pinning).

Gruss
Bernd




Am Mon, 22 Aug 2016 17:09:34 +0200
schrieb Oleg Kalnichevski :

> On August 22, 2016 2:50:35 PM GMT+02:00, Sachin Nikumbh
>  wrote:
> >Hi Oleg,
> >
> >Thanks for your response. I had thought of using custom
> >HostnameVerifier. However, it only gets called if the default
> >hostname verification fails and that won’t work for me. We need to
> >do the custom verification for the server certificate when the
> >default hostname verification is successful as well.
> >
> >We have an existing code that uses CloseableHttpAsyncClient. We have
> >solved our problem by using a custom SSLIOSessionStrategy,
> >RegistryBuilder and PoolingNHttpClientConnectionManager. Is there any
> >way to use similar technique with the CloseableHttpClient?
> >
> >Thanks
> >Sachin
> >
> 
> ConnectionSocketFactory in the classic HttpClient module will give
> you full control over the process of socket initialization. See the
> stock SSL implementation for details and use it as a starting point.
> 
> Oleg
> 


-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

RE: CloseableHttpClient and custom verification of SSL session

2016-08-22 Thread Sachin Nikumbh 
Hi Oleg,

Thanks for your response. I had thought of using custom HostnameVerifier. 
However, it only gets called if the default hostname verification fails and 
that won’t work for me. We need to do the custom verification for the server 
certificate when the default hostname verification is successful as well.

We have an existing code that uses CloseableHttpAsyncClient. We have solved our 
problem by using a custom SSLIOSessionStrategy, RegistryBuilder and 
PoolingNHttpClientConnectionManager. Is there any way to use similar technique 
with the CloseableHttpClient?

Thanks
Sachin


-Original Message-
From: Oleg Kalnichevski [mailto:ol...@apache.org] 
Sent: Monday, August 22, 2016 5:53 AM
To: HttpClient User Discussion <httpclient-users@hc.apache.org>
Subject: Re: CloseableHttpClient and custom verification of SSL session

On August 21, 2016 10:50:47 PM GMT+02:00, Sachin Nikumbh <saniku...@gmail.com> 
wrote:
>Hi all,
>
>I am using CloseableHttpClient to support HTTPS. I need to do some 
>client side verification after receiving the server certificate. This 
>needs to happen immediately after the SSL handshake and before the 
>actual data is exchanged. Can someone please direct me in the right 
>direction?
>
>Thanks
>Sachin

Custom HostnameVerifier would be the most convenient plugin point.

Oleg
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Re: CloseableHttpClient and custom verification of SSL session

2016-08-22 Thread Oleg Kalnichevski 
On August 21, 2016 10:50:47 PM GMT+02:00, Sachin Nikumbh  
wrote:
>Hi all,
>
>I am using CloseableHttpClient to support HTTPS. I need to do some
>client
>side verification after receiving the server certificate. This needs to
>happen immediately after the SSL handshake and before the actual data
>is
>exchanged. Can someone please direct me in the right direction?
>
>Thanks
>Sachin

Custom HostnameVerifier would be the most convenient plugin point.

Oleg
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

CloseableHttpClient and custom verification of SSL session

2016-08-21 Thread Sachin Nikumbh 
Hi all,

I am using CloseableHttpClient to support HTTPS. I need to do some client
side verification after receiving the server certificate. This needs to
happen immediately after the SSL handshake and before the actual data is
exchanged. Can someone please direct me in the right direction?

Thanks
Sachin