Hi, There's a vote on "jakarta-general" to have Jakarta sponsor "not-yet-commons-ssl" for incubation. I thought Synapse might be interested.
I recently did an "alpha" release (0.3.7) of "not-yet-commons-ssl" to help interop with Oleg's NIO-SSL stuff. Please take a look if you have some time! http://juliusdavies.ca/commons-ssl/ Here's a code example: ============================== SSLClient client = new SSLClient(); // Let's trust usual "cacerts" that come with Java. // (This is actually redundant unless a previous // setTrustMaterial() had wiped out the DEFAULT trust.) client.addTrustMaterial( TrustMaterial.DEFAULT ); // Plus, let's also trust a self-signed cert. client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) ); // To be different, let's allow for expired certificates (not recommended). client.setCheckExpiry( false ); client.setCheckCRL( true ); // Let's load a client certificate. Can be OpenSSL style PEM // or Netscape PCKS12 or Java Keystore format. // Max: 1 private-key per SSLClient instance. KeyMaterial km; km = new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ); client.setKeyMaterial( km ); // Get the SSLContext object to feed into Oleg's SSL-NIO module. SSLContext context = client.getSSLContext(); // [later....] String hostname = "mydomain.com"; X509Certificate cert = extractFromSSLSession(); // however you do that // It will throw an SSLException if verification fails. HostnameVerifier.DEFAULT.check( hostname, cert ); ========================================= not-yet-common-ssl also includes good support for hostname verification in all its sundry variations (wildcards, subject alt names, both at the same time!). But when using NIO-SSL you need to extract the X509Certificate and pass it into the HostnameVerifier.DEFAULT object. It's not automatic with NIO. It's only automatic with the blocking SSL. We based our hostname verification on this documentation: http://wiki.cacert.org/wiki/VhostTaskForce http://juliusdavies.ca/commons-ssl/javadocs/org/apache/commons/ssl/HostnameVerifier.html [Sorry about the rich-text. I'll follow up with a plain-text copy.] -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/
