On Sat, 2016-12-17 at 18:05 -0500, Qiang Cao wrote:
> Hi Everyone,
>
> I'm running my client to talk to a service that is behind a proxy. The
> channel between the client and the server proxy is established through SSL.
> I wish to retain the certificates of the proxy.
>
> Client --- SSL socket (HTTPS) ---> SSL PROXY --- Plain socket (HTTP) --->
> Server
>
> The way I do it is to create a context for each request and grab the SSL
> session info from the context after each request is executed.
>
> ..
> HttpClientContext clientContext = HttpClientContext.create();
> CloseableHttpResponse response = httpclient.execute(target, httppost,
> clientContext);
> ManagedHttpClientConnection conn = clientContext.getConnection(
> ManagedHttpClientConnection.class);
>
> if(conn.isOpen()) {
> SSLSession sslsession = conn.getSSLSession();
>X509Certificate[] peerCertChain = sslsession.getPeerCertificateChain();
> }
>
> The code works fine when there is no proxy and the server runs SSL. In that
> case, I'm able to get the server certificates. However, with the SSL proxy
> in the middle, the connection (ManagedHttpClientConnection) I got from the
> context is always NOT open. With that, I sort of ran out of ideas to get
> the SSL session for the request. Any thoughts?
>
> Thanks in advance!
>
> -Qiang
Hi Qiang
Connection socket factory should be a better injection point for any
custom SSL logic
---
CloseableHttpClient client = HttpClientBuilder.create()
.setSSLSocketFactory(new
SSLConnectionSocketFactory(SSLContexts.createSystemDefault()) {
@Override
public Socket createLayeredSocket(
final Socket socket,
final String target,
final int port,
final HttpContext context) throws IOException {
final SSLSocket layeredSocket = (SSLSocket)
super.createLayeredSocket(socket, target, port, context);
SSLSession sslsession = layeredSocket.getSession();
X509Certificate[] peerCertChain =
sslsession.getPeerCertificateChain();
return layeredSocket;
}
})
.build();
---
Hope this helps
Oleg
-
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org