Re: [C3] How to/where to disable certificate check accessing HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrei, On 9/10/2010 4:35 PM, Andrei Lunjov wrote: One more thing was needed: HostnameVerifier verifyEverything = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything ); Thanks for pointing that out. This works for me now. And yes, make this check switchable per resource would be very useful. I tried following the code around for 2.1.11 and it gets quite complicated: there is a class that resolves URLs into InputSources that doesn't look like it's got access to the Generator's configuration. In short: this doesn't look like a simple fix. Instead, it appears that a more extensive re-factoring would be necessary in order to achieve your goal. That being said, you could adapt the disableSSLCertificateChecking method I posted to allow only ignore SSL validity checks for the URLs that you want. Otherwise, invoke the default (or, at least, previously-configured) SSLSocketFactory. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyOKkcACgkQ9CaO5/Lv0PAGNgCeNg8naC1hevgSraZ9XOg1qpmf bb4AoI6ffY4XnPugALMDJarpOoX/1HEX =yZSj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Hi Jos, I just try to do: map:generate src=https://asite.with.invalid.cert/some/resource/ And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember right throws an exception. Cert is invalid, so adding it trust store is questionable. I'd like to ignore the cert check at all, something like this: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html And it's a big question for me what would be a best way add this modification, preferably so I can switch cert check on and off for different resources. Andrei 10.09.2010 07:25, Jos Snellings пишет: Hi Andrej, Could you please provide a little bit more detail on what you want to accomplish? Is it that you need in your sitemap to forward some urls to a secure site? Cheers, Jos - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrei, On 9/10/2010 4:05 AM, Andrei Lunjov wrote: Hi Jos, I just try to do: map:generate src=https://asite.with.invalid.cert/some/resource/ And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember right throws an exception. Cert is invalid, so adding it trust store is questionable. I'd like to ignore the cert check at all, something like this: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html And it's a big question for me what would be a best way add this modification, preferably so I can switch cert check on and off for different resources. The code below will disable SSL checking for /all/ resources, and can easily be put into a ServletContextListener in order to modify the SSL cert checking behavior for a webapp at startup (that is, it's relatively easy to just slap this into an existing Cocoon installation). public static void disableSSLCertificateChecking() throws NoSuchAlgorithmException, KeyManagementException { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; SSLContext sc = SSLContext.getInstance(SSL); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } As I mentioned, this won't help with the resource-specific connections. The code above could be adapted to work inside a generator in order to exempt that single resource from SSL certificate checking. Maybe I'll take a look at the Cocoon code and propose a patch if it's useful. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+ s10Anj8vsvxh9/lzCQTmGimQOU925yhS =kADE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Thank you a lot, Christopher! Me blind idiot - didn't mark HttpsURLConnection.setDefaultSSLSocketFactory is static! :) Very simple indeed - I implemented ServletContextListener and added it *-block-deployment.xweb in my block. One more thing was needed: HostnameVerifier verifyEverything = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything ); This works for me now. And yes, make this check switchable per resource would be very useful. Thanks, Andrei 10.09.2010 21:17, Christopher Schultz пишет: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrei, On 9/10/2010 4:05 AM, Andrei Lunjov wrote: Hi Jos, I just try to do: map:generate src=https://asite.with.invalid.cert/some/resource/ And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember right throws an exception. Cert is invalid, so adding it trust store is questionable. I'd like to ignore the cert check at all, something like this: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html And it's a big question for me what would be a best way add this modification, preferably so I can switch cert check on and off for different resources. The code below will disable SSL checking for /all/ resources, and can easily be put into a ServletContextListener in order to modify the SSL cert checking behavior for a webapp at startup (that is, it's relatively easy to just slap this into an existing Cocoon installation). public static void disableSSLCertificateChecking() throws NoSuchAlgorithmException, KeyManagementException { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; SSLContext sc = SSLContext.getInstance(SSL); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } As I mentioned, this won't help with the resource-specific connections. The code above could be adapted to work inside a generator in order to exempt that single resource from SSL certificate checking. Maybe I'll take a look at the Cocoon code and propose a patch if it's useful. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+ s10Anj8vsvxh9/lzCQTmGimQOU925yhS =kADE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
[C3] How to/where to disable certificate check accessing HTTPS
Hi all, I was working a lot with Cocoon 2.0 and 2.1, did something with 2.2 but I am new to 3.0, so I need some guidance to habits. Please excuse my stupid questions. I need to access HTTPS URL using XMLGenerator. Unfortunately the target site has an invalid certificate and HTTPS URLConnection implementation throws an exception. I more or less know how to ignore it with Java APIs, but I wonder where should I place this code to co-work with Cocoon? My own Generator seems to be a big copy-paste. An advice please? :) Thanks, Andrei - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Hi Andrej, Could you please provide a little bit more detail on what you want to accomplish? Is it that you need in your sitemap to forward some urls to a secure site? Cheers, Jos - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org