Re: not-yet-commons-ssl

[Asankha C. Perera]

Hi Julius I am not subscribed to jakarta-general but am in the apache incubator group already, and would be glad to help you get into incubation if we can. Synapse would like to be able to perform hostname verification and mutual auth when its possible with the NIO SSL module on which we are based now. Do you place your alpha JARs into a Maven repo by any chance? asankha Julius Davies wrote: Hi, There's a vote on "jakarta-general" to have Jakarta sponsor "not-yet-commons-ssl" for incubation.  I thought Synapse might be interested. I recently did an "alpha" release ( 0.3.7) of "not-yet-commons-ssl" to help interop with Oleg's NIO-SSL stuff.  Please take a look if you have some time! http://juliusdavies.ca/commons-ssl/ Here's a code example: ============================== SSLClient client = new SSLClient(); // Let's trust usual "cacerts" that come with Java. // (This is actually redundant unless a previous // setTrustMaterial() had wiped out the DEFAULT trust.) client.addTrustMaterial( TrustMaterial.DEFAULT ); // Plus, let's also trust a self-signed cert. client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) ); // To be different, let's allow for expired certificates (not recommended). client.setCheckExpiry( false ); client.setCheckCRL( true ); // Let's load a client certificate.  Can be OpenSSL style PEM // or Netscape PCKS12 or Java Keystore format. // Max: 1 private-key per SSLClient instance. KeyMaterial km; km  = new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ); client.setKeyMaterial( km ); // Get the SSLContext object to feed into Oleg's SSL-NIO module. SSLContext context = client.getSSLContext(); // [later....] String hostname = " mydomain.com"; X509Certificate cert = extractFromSSLSession();  // however you do that // It will throw an SSLException if verification fails. HostnameVerifier.DEFAULT.check( hostname, cert ); ========================================= not-yet-common-ssl also includes good support for hostname verification in all its sundry variations (wildcards, subject alt names, both at the same time!).  But when using NIO-SSL you need to extract the X509Certificate and pass it into the HostnameVerifier.DEFAULT object.  It's not automatic with NIO.  It's only automatic with the blocking SSL. We based our hostname verification on this documentation:  http://wiki.cacert.org/wiki/VhostTaskForce http://juliusdavies.ca/commons-ssl/javadocs/org/apache/commons/ssl/HostnameVerifier.html [Sorry about the rich-text.  I'll follow up with a plain-text copy.] -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]