<span id="mailbox-conversation">IMO it should be supported on client/server side. This is exactly what I've been developing for mobile applications to establish a trustworthy relationship. I prefer self signed certificates, instead of trust on any CA</span><div class="mailbox_signature">—<br>abstractj</div>
<br><br><div class="gmail_quote"><p>On Fri, Mar 7, 2014 at 4:30 PM, tolis emmanouilidis <span dir="ltr"><<a href="mailto:tolisemm@gmail.com" target="_blank">tolisemm@gmail.com</a>></span> wrote:<br></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div dir="ltr">
<br><div class="gmail_extra">
<br><br><div class="gmail_quote">2014-03-07 18:21 GMT+02:00 Matthias Wessendorf <span dir="ltr"><<a href="mailto:matzew@apache.org">matzew@apache.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">
<br><div class="gmail_extra">
<br><br><div class="gmail_quote">
<div class="">On Fri, Mar 7, 2014 at 5:11 PM, Stefan Miklosovic <span dir="ltr"><<a href="mailto:smikloso@redhat.com">smikloso@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br><br>
we are doing HTTPS tests on UPS integration tests where UPS Java client is used to send some payload to UPS, it seems it is not sufficient to have only plain HTTP sender when we are sending it to HTTPS endpoint.<br><br>
When JBoss AS is set up with keystore and truststore in https connector for web subsystem like this:<br><br>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"><br>
<ssl name="aerogear-ssl" key-alias="aerogear"<br>
password="aerogear"<br>
certificate-key-file="${jboss.server.config.dir}/aerogear.keystore"<br>
protocol="ALL"<br>
verify-client="none"<br>
certificate-file="${jboss.server.config.dir}/aerogear.keystore"<br>
ca-certificate-file="${jboss.server.config.dir}/aerogear.truststore"/><br>
</connector><br><br>
and UPS Java client sends some payload (with HttpUrlConnection, not secure connection), this exception is thown from it:<br></blockquote>
<div><br></div>
</div>
<div>I guess we can use, for https, the <span style="font-family:arial,sans-serif;font-size:13px">HttpsUrlConnection - that;s what you are basically asking, right ? </span>
</div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">Mind to create PR for that ? </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">Thanks!</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">Matthias</span></div>
<div class=""><div><br></div></div>
</div>
</div>
</div></blockquote>
<div> </div>T<span style="font-family:arial,sans-serif;font-size:13px">he certificate used in UPS integration tests is self signed. The SSL handshake, most probably will fail even when using </span><span style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">HttpsUrlConnection, </span>if the custom truststore is not set. I believe that the existing UPS sender version will work when a real, valid certificate is used instead of a self signed one.<br><br></span>
</div>
<div class="gmail_quote"><span style="font-family:arial,sans-serif;font-size:13px">This issue could be fixed if UPS sender was providing a functionality to set up and use a custom TrustManager which contains the Keystore with the self signed certificate. In my opinion, the question is whether supporting self signed certificates in UPS sender, brings value. <br><br></span></div>
<div class="gmail_quote"><span style="font-family:arial,sans-serif;font-size:13px">Thanks,<br></span></div>
<div class="gmail_quote"><span style="font-family:arial,sans-serif;font-size:13px">Tolis<br></span></div>
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">
<div class="">
<div></div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
SEVERE: Send did not succeed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br></blockquote>
</div>
</div></div></div></blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div class="gmail_extra">
<div class="gmail_quote">
<div class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
This basically means that server was not able to mark that connection as trusted.<br><br>
In order to use custom trustStore and trustStorePassword, they are propagated to test like system properties<br><br>
System.setProperty("javax.net.ssl.trustStore", "aerogear.truststore");<br>
System.setProperty("javax.net.ssl.trustStorePassword", "aerogear");<br><br>
however any attempt to set them in test itself like that is not successful since it is "too late". When they are set like -D properties with maven, it is executed without any problems.<br><br>
This does not work as well <a href="https://github.com/aerogear/aerogear-unifiedpush-java-client#known-issues">https://github.com/aerogear/aerogear-unifiedpush-java-client#known-issues</a> since we are not using jsse (and can not) because of this issue <a href="https://issues.jboss.org/browse/JBPAPP6-711">https://issues.jboss.org/browse/JBPAPP6-711</a> which was repaired in 7.1.2 and that release is not community release anymore so we can not base tests on EAP and we are running them on 7.1.1. (we can not run them on WF as well since it is not compatible with EAP but 7.1.1 is).<br><br>
So this is chicken-egg problem. When verify-client is "none" plain http from UPS Java client is not validated. When we do want client authentication (verify-client=want/true), UPS sender is not https aware. Additionally, we can not use "jsse" due to JBPAPP6-711.<br><br>
Ideas?<br><br>
Stefan Miklosovic<br>
Red Hat Brno - JBoss Mobile Platform<br><br>
e-mail: <a href="mailto:smikloso@redhat.com">smikloso@redhat.com</a><br>
irc: smikloso<br>
_______________________________________________<br>
aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div>
</div>
<span class=""><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a>
</font></span>
</div></div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote>
</div>
<br></div>
</div></blockquote></div><br>