I'm performing mutual authentication for a client to a server.
I have a server with a self signed certificate. I've created a java key store (trustStore) which includes that server in the trust store. I have a keystore which includes my certificate and private key. My certificate was signed by the server (the same which self-signed and is in my truststore). I've used the API to create a SSLSocketFactory that registers my keystore and truststore (similar to this post Mutual Authentication with x509 Certificates using HttpClient 4.0.1).
Using Apache HTTPClient 4.0.1 it all worked. I upgraded to 4.1 and other than having to reorder the arguments in the Scheme constructor the code is the same. However, now I get a javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Help, please?
I see there is a org.apache.http.conn.ssl.TrustSelfSignedStrategy in 4.1 but haven't found any examples of how to use it. I'm not even sure that I would want to use it. I'd have to make that a user choice, which would seem that it would be better for them to just give me their server certificate to add to my trust store. (http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html)
Below is the code:
String doGet(URI uri, String acceptType) throws Exception
{
// To be replaced by common module.
String result = null;
DefaultHttpClient httpclient = new DefaultHttpClient();
try
{
SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, String.valueOf(keyStorePassword), trustStore);
Scheme sch = new Scheme("https", 443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpget = new HttpGet(uri.toASCIIString());
httpget.addHeader("Accept", acceptType);
开发者_运维百科 HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
result = IOUtils.getContent(entity.getContent());
} finally
{
httpclient.getConnectionManager().shutdown();
}
return result;
}
Below is the exception I get in 4.1:
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
I posted this on the HTTPClient user list and after interacting with the developers a bug in 4.1 is found and is going to be fixed 4.1.1.
http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tt31092864.html
精彩评论