Examples of org.apache.http.conn.ssl.SSLSocketFactory

• org.apache.http.conn.ssl.SSLSocketFactory
  Layered socket factory for TLS/SSL connections.

  SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

  SSLSocketFactory will enable server authentication when supplied with a {@link KeyStore trust-store} file containing one or several trusted certificates. The clientsecure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

  Use JDK keytool utility to import a trusted certificate and generate a trust-store file:

   keytool -import -alias "my server cert" -file server.crt -keystore my.truststore 

  In special cases the standard trust verification process can be bypassed by using a custom {@link TrustStrategy}. This interface is primarily intended for allowing self-signed certificates to be accepted as trusted without having to add them to the trust-store file.

  The following parameters can be used to customize the behavior of this class:

  • {@link org.apache.http.params.CoreConnectionPNames#CONNECTION_TIMEOUT}
  • {@link org.apache.http.params.CoreConnectionPNames#SO_TIMEOUT}
  • {@link org.apache.http.params.CoreConnectionPNames#SO_REUSEADDR}

  SSLSocketFactory will enable client authentication when supplied with a {@link KeyStore key-store} file containing a private key/public certificatepair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity

  Use the following sequence of actions to generate a key-store file

  • Use JDK keytool utility to generate a new key

    keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore

    For simplicity use the same password for the key as that of the key-store

  • Issue a certificate signing request (CSR)

    keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

  • Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

  • Import the trusted CA root certificate

    keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

  • Import the PKCS#7 file containg the complete certificate chain

    keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

  • Verify the content the resultant keystore file

    keytool -list -v -keystore my.keystore

  @since 4.0

      localConnectionManager.setMaxTotal(1);

      // Set up ingest ssl if indicated
      if (ingestKeystoreManager != null)
      {
        SSLSocketFactory myFactory = new SSLSocketFactory(new InterruptibleSocketFactory(ingestKeystoreManager.getSecureSocketFactory(), connectionTimeout),
          new BrowserCompatHostnameVerifier());
        Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);
        localConnectionManager.getSchemeRegistry().register(myHttpsProtocol);
      }
      connectionManager = localConnectionManager;

      int socketTimeout = 900000;
      int connectionTimeout = 300000;

      javax.net.ssl.SSLSocketFactory httpsSocketFactory = KeystoreManagerFactory.getTrustingSecureSocketFactory();
      SSLSocketFactory myFactory = new SSLSocketFactory(new InterruptibleSocketFactory(httpsSocketFactory,connectionTimeout),
        new AllowAllHostnameVerifier());
      Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);

      // Set up connection manager
      PoolingClientConnectionManager localConnectionManager = new PoolingClientConnectionManager();

    int socketTimeout = 900000;
    int connectionTimeout = 60000;

    javax.net.ssl.SSLSocketFactory httpsSocketFactory = KeystoreManagerFactory.getTrustingSecureSocketFactory();
    SSLSocketFactory myFactory = new SSLSocketFactory(new InterruptibleSocketFactory(httpsSocketFactory,connectionTimeout),
      new AllowAllHostnameVerifier());
    Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);

    PoolingClientConnectionManager localConnectionManager = new PoolingClientConnectionManager();
    localConnectionManager.setMaxTotal(1);

      int socketTimeout = 900000;
      int connectionTimeout = 300000;

      javax.net.ssl.SSLSocketFactory httpsSocketFactory = KeystoreManagerFactory.getTrustingSecureSocketFactory();
      SSLSocketFactory myFactory = new SSLSocketFactory(new InterruptibleSocketFactory(httpsSocketFactory,connectionTimeout),
        new AllowAllHostnameVerifier());
      Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);

      // Set up connection manager
      PoolingClientConnectionManager localConnectionManager = new PoolingClientConnectionManager();

    this.authority = authority;
    Scheme sch = null;
    try {
      SSLContext sc = SSLContext.getInstance("SSL");
      sc.init(null, trustAllCerts, new java.security.SecureRandom());
      SSLSocketFactory socketFactory = new SSLSocketFactory(sc, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
      sch = new Scheme("https", 443, socketFactory);
    } catch(Exception e) {
      LOG.logp(Level.WARNING, CLASS, method, "Error creating scheme for HTTPs.  The default fetcher will be used.  " +
          "The default fetcher will not allow untrusted SSL connections.", e);
    }

                @Override
        public void checkServerTrusted(X509Certificate[] cert, String s) throws CertificateException {
                }
            };
            ctx.init(null, new TrustManager[]{tm}, null);
            SSLSocketFactory ssf = new SSLSocketFactory(ctx);

            // When Apache Client AllowAllHostnameVerifier is strict, this should be used
            // Stays here for reference
            X509HostnameVerifier verifier = new X509HostnameVerifier() {
                @Override
        public boolean verify(String s, SSLSession sslSession) {
                    return true;
                }
                @Override
        public void verify(String s, SSLSocket sslSession) throws IOException {
                }
                @Override
        public void verify(String s, String[] ss1, String[] ss2) throws SSLException {
                }
                @Override
        public void verify(String s, X509Certificate cerst) throws SSLException {
                }

            };
            ssf.setHostnameVerifier(verifier);

            ClientConnectionManager ccm = base.getConnectionManager();
            SchemeRegistry sr = ccm.getSchemeRegistry();
            sr.register(new Scheme("https", ssf, 443));
            return new DefaultHttpClient(ccm, base.getParams());

            return null;
        }
    };
    ctx.init(null, new TrustManager[]{tm}, null);

    SSLSocketFactory ssf = new SSLSocketFactory(ctx);
    ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    ClientConnectionManager ccm = base.getConnectionManager();
    SchemeRegistry sr = ccm.getSchemeRegistry();
    sr.register(new Scheme("https", ssf, 443));

    DefaultHttpClient client = new DefaultHttpClient(ccm, base.getParams());

        }

        try {
            SchemeRegistry schemeRegistry = httpClient.getConnectionManager().getSchemeRegistry();

            SSLSocketFactory sf = new SSLSocketFactory(
                    SSLContext.getDefault(),
                    SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
            Scheme https = new Scheme("https", 443, sf);

            schemeRegistry.register(https);

      localConnectionManager.setMaxTotal(1);

      // Set up ingest ssl if indicated
      if (ingestKeystoreManager != null)
      {
        SSLSocketFactory myFactory = new SSLSocketFactory(new InterruptibleSocketFactory(ingestKeystoreManager.getSecureSocketFactory(), connectionTimeout),
          new BrowserCompatHostnameVerifier());
        Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);
        localConnectionManager.getSchemeRegistry().register(myHttpsProtocol);
      }
      connectionManager = localConnectionManager;

    // Initialize standard solr-j.
    // First, we need an HttpClient where basic auth is properly set up.
    PoolingClientConnectionManager localConnectionManager = new PoolingClientConnectionManager();
    localConnectionManager.setMaxTotal(1);
    SSLSocketFactory myFactory;
    if (keystoreManager != null)
    {
      myFactory = new SSLSocketFactory(keystoreManager.getSecureSocketFactory(),
        new AllowAllHostnameVerifier());
    }
    else
    {
      // Use the "trust everything" one
      myFactory = new SSLSocketFactory(KeystoreManagerFactory.getTrustingSecureSocketFactory(),
        new AllowAllHostnameVerifier());
    }
    Scheme myHttpsProtocol = new Scheme("https", 443, myFactory);
    localConnectionManager.getSchemeRegistry().register(myHttpsProtocol);
    connectionManager = localConnectionManager;