Tuesday, May 24, 2016

Apache http-client, customizing SSLSocketFactory

Here the general documentation on Apache HTTP client https://hc.apache.org/httpcomponents-client-ga/

https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/scheme/SchemeSocketFactory.html

    HttpContext context...
    SchemeRegistry registry = getSchemeRegistry(context);
    Scheme schm = registry.getScheme(target.getSchemeName());
    SchemeSocketFactory sf = schm.getSchemeSocketFactory();


This example https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java shows

Specifically, it's interesting to look at their default implementation of https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/HostnameVerifier.html which is the org.apache.http.conn.ssl.BrowserCompatHostnameVerifier ( extends org.apache.http.conn.ssl.AbstractVerifier implements org.apache.http.conn.ssl.X509HostnameVerifier extends javax.net.ssl.HostnameVerifier )

The extra methods added by org.apache.http.conn.ssl.X509HostnameVerifier are:

  public abstract void verify(String host, SSLSocket ssl)
    throws IOException;
  
  public abstract void verify(String host, X509Certificate cert)
    throws SSLException;
  
  public abstract void verify(String host, String[] cns, String[] subjectAlts)
    throws SSLException;

while the basic javax.net.ssl.HostnameVerifier contains only
verify(String hostname, SSLSession session)


Remember! javax.net.ssl.SSLSocketFactory is an ABSTRACT class.

For use within WebLogic, see http://docs.oracle.com/cd/E12839_01/core.1111/e10043/ohttps.htm#JISEC2046, but the property HTTPClient.defaultHostnameVerifier doesn't seem to work with Apache HTTPClient.

Also another interface exists weblogic.security.SSL.HostnameVerifier



No comments: