[prev in list] [next in list] [prev in thread] [next in thread]
List: httpclient-users
Subject: Re: How come my http-client is not presenting the certificate?
From: James Vu <jtuan98 () yahoo ! com>
Date: 2006-10-12 12:00:42
Message-ID: 20061012120042.79908.qmail () web54205 ! mail ! yahoo ! com
[Download RAW message or body]
Julius:
This is not looking good at all. It did not work for
me. I get the client: null mesage. I tried head and
then get and also get/releasseConnection/get again
which also fails.
I am running out of ideas.
JT
--- James Vu <jtuan98@yahoo.com> wrote:
> Julius:
>
> I will try this on thursday next week and I will
> post
> the results for you.
>
> Thank you very much for your help and hopefully it
> will work,
> JT
>
> --- Julius Davies <juliusdavies@cucbc.com> wrote:
>
> > Hi, James,
> >
> > Did you try the test below, where I analyzed the
> > socket after the GET
> > request had gone through?
> >
> > final SSLSocket[] socket = new SSLSocket[ 1 ];
> >
> > Inside the "SSLWrapperFactory" anonymous inner
> > class, add this:
> >
> > socket[ 0 ] = s;
> >
> > After the GET response has come back through
> > httpclient, take a look at
> > the client certs yet again:
> >
> > Certificate[] certs = socket[ 0
> > ].getSession().getLocalCertificates();
> > if ( certs != null )
> > {
> > System.out.println( "client certs:" );
> > for ( int i = 0; i < certs.length; i++ )
> > {
> > X509Certificate c = (X509Certificate) certs[ i
> > ];
> > System.out.println( Certificates.toString( c )
> > );
> > }
> > }
> > else
> > {
> > System.out.println( "client certs: null" );
> > }
> >
> > For me that was showing that in the end httpclient
> > did send the client
> > cert, but perhaps it just didn't send it in time
> for
> > the first request?
> >
> > With that in mind I have one idea:
> >
> > 1. Use a "MultiThreadedHttpConnectionManager"
> > configured to only pool a
> > single connection, and try that initial GET
> request
> > against the
> > "LOCKDOWN" path twice. That way hopefully the
> > socket will be
> > authenticated in time for the 2nd request.
> >
> > (Be sure to read off the full reply of the first
> > request before sending
> > the second one).
> >
> > MultiThreadedHttpConnectionManager
> connectionManager
> > = new MultiThreadedHttpConnectionManager();
> > HttpConnectionManagerParams params =
> > connectionManager.getParams();
> > params.setDefaultMaxConnectionsPerHost( 1 );
> > params.setMaxTotalConnections( 1 );
> > HttpClient client = new
> > HttpClient(connectionManager);
> >
> > So do the GET or POST request you had in mind a
> > first time to try and
> > get the ssl handshake to happen. Then do your
> real
> > GET or POST
> > afterwards. (Or maybe just start off with a HEAD
> > request the first
> > time.)
> >
> > Since the ConnectionManager is only holding a
> single
> > socket, hopefully
> > that socket will stay in use (and not get
> shutdown),
> > and become a
> > special "authenticated" socket!
> >
> > yours,
> >
> > Julius
> >
> >
> >
> > On Fri, 2006-06-10 at 20:20 -0700, James Vu wrote:
> > > Julius:
> > >
> > > Thanks so much for your time. The server that I
> > am
> > > connected to is "Netscape CMS 4.5" so I could
> not
> > find
> > > where to configure the WANT vs the NEED flag.
> > >
> > > So from what you are saying is that there is not
> > much
> > > else I can do with HttpClient and commons-ssl?
> I
> > know
> > > that openssl worked since I have tested manually
> > with
> > > that, should I look at PureTLS (which is a Java
> > > wrapper for openssl)?
> > >
> > > what is your advice? Where do I go from here?
> > >
> > > thanks again,
> > > JT
> > >
> > > --- Julius Davies <juliusdavies@cucbc.com>
> wrote:
> > >
> > > > ps. If you can get your server to set itself
> > into
> > > > WANT-CLIENT-AUTH mode
> > > > from the very beginning, things might work
> > better.
> > > > WANT-CLIENT-AUTH
> > > > mode still allows sockets that don't have
> client
> > > > certificates to be
> > > > established.
> > > >
> > > > Only NEED-CLIENT-AUTH mode disallows socket
> > creation
> > > > in those cases.
> > > >
> > > > So if your server was setup with
> > WANT-CLIENT-AUTH
> > > > mode right from the
> > > > beginning, httpclient would be able to send
> the
> > > > client cert on all
> > > > requests, and not have to worry about this
> > situation
> > > > where a client cert
> > > > is asked for right in the middle of a request
> > (after
> > > > the GET or POST
> > > > line has been sent!).
> > > >
> > > > But I would still like to see what it takes to
> > get
> > > > commons-ssl and
> > > > httpclient to work flawlessly with the
> scenario
> > > > you've identified.
> > > >
> > > >
> > > > yours,
> > > >
> > > > Julius
> > > >
> > > >
> > > > On Fri, 2006-06-10 at 13:09 -0700, Julius
> Davies
> > > > wrote:
> > > > > Hi, James,
> > > > >
> > > > > Wow! A person can call the following in the
> > > > middle of a TCP/IP session:
> > > > >
> > > > > // This happens in the server:
> > > > > // SSLSocket "s" came from an
> > > > serverSocket.accept() call.
> > > > > s.setNeedClientAuth( true );
> > > > > s.getSession().invalidate();
> > > > > s.startHandshake();
> > > > >
> > > > > I didn't know that.
> > > > >
> > > > > But commons-ssl didn't seem to mind at all.
> I
> > > > just needed to alter the
> > > > > test code a little to see that it worked.
> Add
> > > > this at the top:
> > > > >
> > > > > final SSLSocket[] socket = new SSLSocket[ 1
> ];
> > > > >
> > > > > Inside the "SSLWrapperFactory" anonymous
> inner
> > > > class, add this:
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic