I am currently testing the waters of SSL, and am new to the SSL stuff. As a part of my research, I came across two different implementations of SSL in the java space.
First, let me state my requirement, which is very simple, I just need a process to post data to a URL using https.
Among the two solutions, the first one is a pure Java implementation (using only the core Java classes) and the other one uses the Apache HTTPClient to do it's http.
Initially, as a part of my testing, I would get the infamous "unable to find valid certification path to requested target " exception, and this I figured happens when the certificate (received from the server) is not part of the Java key store. Once I add the certificate to the Java Key store, the application works fine in both cases. However, in my use of HTTPClient, I noticed the use of SSLSocketFactory.
When I tested HttpClient with the following code,
HttpClient httpClient = new HttpClient();
PostMethod postMethod = new PostMethod(target);
postMethod.setQueryString("someQueryString");
try {
httpClient.executeMethod(postMethod);
System.out.println("Response code: " + postMethod.getStatusLine());
BufferedReader in = new BufferedReader (new InputStreamReader(postMethod.getResponseBodyAsStream()));
String temp;
while ((temp = in.readLine()) != null){
response += temp + "\n";
}
temp = null;
in.close ();
System.out.println("Server response:\n'" + response + "'");
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}finally{
postMethod.releaseConnection();
}
it worked fine, so I am not sure what is the use of SSLSocketFactory implementations? I initially thought this is useful, when we want to automate the addition of the certificate to the key store. Am I right in that analysis?
If my analysis is true, which implementation is better?
- Is it better to just manually install the certificate? What are the cons of this approach? and will the certificate expire? If it does, would I have to install a new certificate again?
- Or should I automate the whole key store addition functionality using SSLSocketFactory?
Your inputs would be greatly appreciated. Thank you.
You should do neither. There are existing solutions to this.
From the docs: