RE: How To Registering My Own Cert TrustManager for SOAP Call

[Joe Pruitt]

Title: RE: How To Registering My Own Cert TrustManager for SOAP Call

The breakpoint is never reached because Apache SOAP doesn't use the HttpsURLConnection class (or it's base classes) for communicaton but rather it's own set of classes working off of the lower level SSLSocket classes.

I'm pretty much stuck in the same boat so if anyone has had any success please pass on your findings.

-Joe

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 10, 2002 12:36 PM
To: [EMAIL PROTECTED]
Subject: How To Registering My Own Cert TrustManager for SOAP Call

How do I register my own X509TrustManager so that I can programmatically check the server cert in isServerTrusted() method for a SOAP call using apache SOAP 2.2. (My server has a self-signed cert)

When I code the following, https POSTS to the server, such as "https://localhost:8080/TestServlet", work fine because I registered the trust manager and it stops at my breakpoint in isServerTrusted()

// start code example

   class AnyHostnameVerifier implements HostnameVerifier {
      public boolean verify(
            java.lang.String urlHostname,
            java.lang.String certHostname) {
            return true;
      }
   }

   class AnyX509TrustManager implements X509TrustManager {
      public boolean isClientTrusted(java.security.cert.X509Certificate[]
chain) {
            return true;
      }
      public boolean isServerTrusted(java.security.cert.X509Certificate[]
chain) {
            return true;
      }
      public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
      }
   }

   System.setProperty("java.protocol.handler.pkgs",
      "com.sun.net.ssl.internal.www.protocol");
   Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

   X509TrustManager tm = new AnyX509TrustManager();
   HostnameVerifier hm = new AnyHostnameVerifier();
   KeyManager[] km = null;
   TrustManager[] tma = { tm };
   SSLContext sc = SSLContext.getInstance("SSL");
   sc.init(km, tma, new java.security.SecureRandom());
   SSLSocketFactory sf1 = sc.getSocketFactory();

   HttpsURLConnection.setDefaultSSLSocketFactory(sf1);
   HttpsURLConnection.setDefaultHostnameVerifier(hm);

// end code example

BUT WHEN MAKING THE FOLLOWING SOAP CALL...

// start code example

   String targetObjectURI = "http://tempuri.org/Service";
   call.setMethodName("getName");
   call.setEncodingStyleURI(Constants.NS_URI_SOAP_ENC);
   call.setTargetObjectURI(targetObjectURI);
   call.setParams(new Vector());
   call.invoke( new URL(" https://localhost:8443/logon-example/servlet/rpcrouter"), "");

// end code example

IT FAILS WITH

main, SEND SSL v3.1 ALERT:  fatal, description = certificate_unknown main, WRITE:  SSL v3.1 Alert, length = 2 org.apache.soap.SOAPException, Error opening socket: null

AND THE BREAKPOINT IS NEVER REACHED IN MY REGISTERED TRUST-MANAGER