Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Vlad Skarzhevskyy
    @skarzhevskyy

    In fact I'm not using Apache4SslUtils. I just copy pasted the 5 lines to my code here as example to make it simple :) This brings me to the question why you had separated Apache4SslUtils to is own jar .
    You could have used optional scope dependencies in sslcontext-kickstart

            <dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
            <optional>true</optional>
        </dependency>

    Is this about DIY zero-dependency ?

    Vlad Skarzhevskyy
    @skarzhevskyy
    As to Kafka
    Hakan Altındağ
    @Hakky54
    Initially I had the apache, netty and jetty libraries in one single maven module. It also contained google’s library guava and apache commons lang. A developer gave feedback and mentioned the topic dependency hell. After that I decided to make the core library as light as possible so others would not need to pull additional libraries which they maybe wouldn’t use and also the prevent overruling their own dependency version if they have the same transitive dependency. An option would be marking the dependency optional, but that would force the end user to add the specific dependency, netty, jetty, or boucy caste etc to their pom explicitly. I didn’t preferred that, I thought the cleanest solution would be seperating functionality which depends on specific libraries into seperate jars. And if they want to use it they would get all the libraries as transitive dependency
    Hakan Altındağ
    @Hakky54
    Thank you for sharing your code snippet, so one way authentication works for kafka right?

    I was very eager to try it out yesterday night, so I ended up coding:

    It looks similar to your solution, but I was not quite sure if it would work without the keystone/truststore in the ssl engine factory. I was thinking that they would not be needed if the engine has the pre initialized key manager and trust manager and if shouldBeRebuilt returns false. But I need to try this with a poc with ssl enabled

    Hakan Altındağ
    @Hakky54
    But I am not quite sure if there is any need to provide such a extension to the kafka library
    mic331
    @mic331
    I just corresponded via mail. I am writing an Android client that needs to communicate via our own backend server via digital client certificate. I am downloading a certificate bundle (in JSON format) from our server which I need to install and use. The certificate bundle includes a RSA private key, a .pem file and a .pub file. I also have a passphrase. I would like to use your library to install the necessary cert details and use those to communicate with our server which will verify I am trusted. I would ideally like to use a OkHttpClient or HttpsURLConnection.
    Hakan Altındağ
    @Hakky54

    Hi @mic331
    Thank you for switching over from mail to Gitter! The ssl configuration is simple, you should have the following dependency in your project: 

    <dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-pem</artifactId>
    <version>7.3.0</version>
</dependency>

    What you need after this is use the private key and certificate chain as identity for the client and use the other pem file as trusted certificates so the client can compare that when t receives the server certificate.

    The example sslconfiguration would look like: 

    var keyManager = PemUtils.loadIdentityMaterial("certificate-chain.pem", "private-key.pem", "my-password".toCharArray());
var trustManager = PemUtils.loadTrustMaterial("some-trusted-certificate.pem");

var sslFactory = SSLFactory.builder()
    .withIdentityMaterial(keyManager)
    .withTrustMaterial(trustManager)
    .build();

var httpClient = new OkHttpClient.Builder()
    .sslSocketFactory(sslFactory.getSslSocketFactory(), sslFactory.getTrustManager().orElseThrow())
    .hostnameVerifier(sslFactory.getHostnameVerifier())
    .build();

    I hope this answers all off your questions, please let me know if you have additional questions

    The file name extensions may be different, so that would not be the issue, just make sure the content is a pem format/base64 format
    mic331
    @mic331
    Thanks. I guess I am a little confused with all of the cert types. I pasted an abbreviated response with the cert details below. How does each one map to your example

    {
    "result": {

    "store00293": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAzydv5mr730A2S0rjp/zs3EsuZnJuegS+d4+0plTjlS+x5kol\nsE5NaEGYhBUogQtWGysbXXfeyUK91rhQuBoEUW1dVT5ni75F4fRiNUwTr3KVFI+X\nqOuLw7F2hCBG+CfnvmlOe5bAEPlcRm9a3ov2+uOO+p1dzc8c5a+A9L1/ItWDUawf\nhe4c2jCjESls3NmKwOEdWiPWlX7GBiqCT82IWjtfarP9IeslIdxM/A+VeB3AHnEeqqmzY2XNyuMJ4+xi7IC/\nxIejxUOQYToqPz+zmoFhYwBWJPKwROadOl44KXn1a+ky1gpiNAjlhsL0xSU4Wnu5\n0TBXFl/6kbMNCwAl4VghLKAa9yv7SQsNL3SdNXLv=\n-----END RSA PRIVATE KEY-----\n",
"store00293.pem": "Bag Attributes\n    localKeyID: FC 0F 42 B6 45 20 F3 F3 71 0C 10 61 C7 94 6D 00 70 B5 9C 98 \nsubject=/C=US/L=New Jersey/O=IDT/OU=ABC Solutions/CN=store 00293\nissuer=/C=US/L=New Jersey/O=ABC Store/OU=ABC Solutions/CN=POS API\n-----BEGIN CERTIFICATE-----\nMIIDfjCCAmagAwIBAgIIPRx0pM+8kyowDQYJKoZIhvcNAQELBQAwaTELMAkGA1UE\nBhMCVVMxEzARBgNVBAcTCk5ldyBKZXJzZXkxGDAWBgNVBAoTD0lEVCBMTC3N0b3JlIDAwMjkzMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3KBpzdGm3TRrmPbf7Wublvi8bZ3p4gtT+FAe\nI8b2MaYI4y2Wv=\n-----END CERTIFICATE-----\nBag Attributes\n    localKeyID: FC 0F 42 B6 45 20 F3 F3 71 0C 10 61 C7 94 6D 00 70 B5 9C 98 \nKey Attributes: <No Attributes>\n-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQImMLPuq28tAoCAggA\nMBQGCCqGSIb3DQMHBAhGAWJKXxF0HwSCBMg3mUMH2W+AlqoXXyBs5TAvnWday3XF\neN/qX7M/stO4AQgqkB5ZH193NPRfsrvK8fqKRrNlBk0SG3ZKm3Jnb6/XbmkvLGfo\nDxXLU90RaSflG/4/1wE6Hmugfsj8XSs3WZDLa0GUEcCzVWvhoho2T2GSV5/rh0h8\nuXlNzZElBfzsUEFdS5zKDJL0DcJX6g5R6Ke+F52gNCkf9/sj7w8/PCbXlJSDBTnA\n52ponOkwBIbxRIsGHaS4Smn0AZOs93BQfrfGl+o9b7q+qsqlMjtDOpT0mWpxbVvZ\nBl9DX/tp7ESQBaoh2eJf+3z9m78kokCC/RkpdpV9lOZogE4NE3tesiF6WWVbmE1m\nEsM8LnBWVk1CN=\n-----END ENCRYPTED PRIVATE KEY-----\n",
"store00293.pub": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPJ2/mavvfQDZLSuOn/OzcSy5mcm56BL53j7SmVOOVL7HmSiWwTk1oQZiEFSiBC1YbKxtdd97JQr3WuFC4GgRRbV1VPmeLvkXh9GI1TBOvcpUUj5eo64vDsXaEIEb4J+e+aU57lsAQ+VxGb1rei/b64476nV3Nzxzlr4D0vX8i1YNRrB+F7hzaMKMRKWzc2YrA4R1aI9aVfsYGKoJPzYhaO19qs/0h6yUh3Ez8D5V44KQJqkT for ABC Store\n",
"store00293-cert.pub": "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgevB86dIf2NZYTl8SMeiHawnpcAGAMNWMe208kqWzvT8AAAADAQABAAABAQDPJ2/mavvfQDZLSuuCe4ZZNhlCo44KQJqkTDkoC6Hc6iAhvmEm3Wbc0AMILyT4mXvidbCn2y+o55gZzHmYBY1wCF5AAAAAAAAAAAAAAABAAAAEy90bXAvc3RvcmUwMDI5M19uZXcAAAANAAAACXR1bm5lbGVycwAAAABf+uyPAAAAAHLG8LsAAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZw  for ABC Store\n",

    }
    }

    Hakan Altındağ
    @Hakky54
    So the first file is the private key and it seems like it is not encrypted so you don't need to have a password. The second one looks like a certificate chain belonging to the private key, but i am not sure. Do you know if the second file is the server certificate?
    The other two files are not usable for the library, those are not base64 encoded strings and look more like ssh keys for connecting to a server through the terminal
    mic331
    @mic331
    I emailed you a fuller version of the response
    Hakan Altındağ
    @Hakky54
    I received it, i will have a look at it today, as i don't have my laptop next to me
    I will ping you when I have an update
    mic331
    @mic331
    What I tried was to load the .pem and rsa private key to your loadIdentityMaterial function with the passphrase as password. I ended up getting a SSL routines:OPENSSL_internal:CERTIFICATE_AND_PRIVATE_KEY_MISMATCH error
    Hakan Altındağ
    @Hakky54
    ahh
    so it looks like the the certificate chain you gave does not belong to the private key and therefor you are getting that error
    Normally when you create either client or server certificates you will get a key pair. This is a private key and atleast one certificate but it can have more if it when it is signed. The certificate should belong to the private key, so you cannot add a different certificate to the method loadIdentityMaterial function for a private key
    mic331
    @mic331
    Any idea what 'Wrong version of keystore' means? When I try to load my .pem input stream into the keystore I get that error.
    Hakan Altındağ
    @Hakky54
    Can you share code samples and your stack trace?
    mic331
    @mic331
    java.io.IOException: Wrong version of key store. I sent you the example .pem file previously. I am creating an input stream from the .pem file and passing it to the keystore.load method. Any ideas?
    Hakan Altındağ
    @Hakky54
    It is hard to find out your issue because the pem file you have sent previously is corrupted because you have deleted a part of it. I cannot help you in this way. If you can sent me maybe dummy pem files which are similar or simalery created, than i can reproduced it on my side and give you steps how to resolve it. I am willing to help you but in this way it is just not possible with sending corrupted files to me. I think you should try stackoverflow
    ofaydin
    @ofaydin
    Hello Hakan, I tried to use it in the project but I got an error as below. I am using java 8 as jdk.
    Caused by: java.lang.NoSuchFieldError: id_ecPublicKey
    at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.<clinit>(Unknown Source)
    at nl.altindag.ssl.util.PemUtils.<clinit>(PemUtils.java:94)
    at iwb.util.HttpUtil.sendSSL(HttpUtil.java:203)
    at iwb.engine.RESTEngine.REST(RESTEngine.java:390)
    Why can it be caused? 
        <dependency>
        <groupId>io.github.hakky54</groupId>
        <artifactId>sslcontext-kickstart-for-pem</artifactId>
        <version>7.4.1</version>
    </dependency>
    I would really apreciate if you help (yardımcı olabilirsen çok sevinirim ) 
    InputStream keyStream = new ByteArrayInputStream(kesStr.getBytes());

            X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial(keyStream);

            SSLFactory sslFactory = SSLFactory.builder().withIdentityMaterial(keyManager).build();
    Hakan Altındağ
    @Hakky54
    Merhaba, iyi aksamlar @ofaydin
    This issue might be happening when having multiple different versions of Bouncy Castle on your classpath, but I am not sure. Can you share your dependency tree here so I can analyse it? You can get it by running mvn dependency:tree
    which JDK build number of the JDK 8 are you using?
    ofaydin
    @ofaydin
    @Hakky54 Merhaba,Hakan ilgin için çok teşekkürler. I am using jdk 1.8.0_221 
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.postgresql</groupId>
        <artifactId>postgresql</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
      <groupId>com.sun.xml.ws</groupId>
      <artifactId>jaxws-ri</artifactId>
      <version>2.3.2</version>
      <type>pom</type>
    </dependency>


    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.5</version>
    </dependency>
    <dependency>
        <groupId>javax.xml.bind</groupId>
        <artifactId>jaxb-api</artifactId>
        <version>2.3.0</version>
    </dependency>

    <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>16.0.1</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.lowagie/itext -->
    <dependency>
        <groupId>com.lowagie</groupId>
        <artifactId>itext</artifactId>
        <version>2.1.7</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/commons-lang/commons-lang -->
    <dependency>
        <groupId>commons-lang</groupId>
        <artifactId>commons-lang</artifactId>
        <version>2.6</version>
    </dependency>


    <dependency>
        <groupId>org.apache.poi</groupId>
        <artifactId>poi-ooxml</artifactId>
        <version>3.11</version>
    </dependency>
            <!-- https://mvnrepository.com/artifact/log4j/log4j -->
    <dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
        <version>1.2.17</version>
    </dependency>

    <dependency>
        <groupId>net.sourceforge.jexcelapi</groupId>
        <artifactId>jxl</artifactId>
        <version>2.6.12</version>
        <exclusions>
            <exclusion>
                <artifactId>log4j</artifactId>
                <groupId>log4j</groupId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.json</groupId>
        <artifactId>json</artifactId>
        <version>20190722</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-csv -->
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-csv</artifactId>
        <version>1.7</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.opencsv/opencsv -->
    <dependency>
        <groupId>com.opencsv</groupId>
        <artifactId>opencsv</artifactId>
        <version>5.5.2</version>
    </dependency>


    <dependency>
        <groupId>com.auth0</groupId>
        <artifactId>mvc-auth-commons</artifactId>
        <version>1.0.0</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/com.rabbitmq/amqp-client -->
    <dependency>
        <groupId>com.rabbitmq</groupId>
        <artifactId>amqp-client</artifactId>
        <version>3.6.6</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-configuration-processor</artifactId>
        <optional>true</optional>
    </dependency>


    <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.9.1</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/com.sun.mail/javax.mail -->
    <dependency>
        <groupId>com.sun.mail</groupId>
        <artifactId>smtp</artifactId>
        <version>1.6.5</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/org.eclipse.paho/org.eclipse.paho.client.mqttv3 -->
    <dependency>
        <groupId>org.eclipse.paho</groupId>
        <artifactId>org.eclipse.paho.client.mqttv3</artifactId>
        <version>1.2.1</version>
    </dependency>


    <dependency>
        <groupId>com.graphql-java</groupId>
        <artifactId>graphql-java</artifactId>
        <version>2019-08-01T04-03-44-e9b53f6</version>
    </dependency>
        <dependency>
        <groupId>org.jsoup</groupId>
        <artifactId>jsoup</artifactId>
        <version>1.14.3</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/c3p0/c3p0 -->
    <dependency>
        <groupId>c3p0</groupId>
        <artifactId>c3p0</artifactId>
        <version>0.9.1.2</version>
    </dependency>


    <dependency>
        <groupId>com.smartbear.soapui</groupId>
        <artifactId>soapui</artifactId>
        <version>5.5.0</version>
    </dependency>
        <dependency>
        <groupId>io.github.hakky54</groupId>
        <artifactId>sslcontext-kickstart-for-pem</artifactId>
        <version>7.4.1</version>
    </dependency>

    <dependency>
        <groupId>eviware</groupId>
        <artifactId>soap-xmlbeans</artifactId>
        <version>1.2</version>
    </dependency>

    <dependency>
        <groupId>javax.jms</groupId>
        <artifactId>jms</artifactId>
        <version>1.1</version>
    </dependency>
    <dependency>
        <groupId>eviware</groupId>
        <artifactId>policy-xmlbeans</artifactId>
        <version>1.5</version>
    </dependency>
    <dependency>
        <groupId>commons-cli</groupId>
        <artifactId>commons-cli</artifactId>
        <version>1.2</version>
    </dependency>
    <dependency>
        <groupId>commons-ssl</groupId>
        <artifactId>not-yet-commons-ssl</artifactId>
        <version>0.3.11</version>
    </dependency>
    <dependency>
        <groupId>commons-configuration</groupId>
        <artifactId>commons-configuration</artifactId>
        <version>1.6</version>
    </dependency>
    <dependency>
        <groupId>org.apache.xmlbeans</groupId>
        <artifactId>xmlbeans</artifactId>
        <version>2.4.0</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/wsdl4j/wsdl4j -->
    <dependency>
        <groupId>wsdl4j</groupId>
        <artifactId>wsdl4j</artifactId>
        <version>1.6.3</version>
    </dependency>

    <dependency>
        <groupId>org.apache.geronimo.specs</groupId>
        <artifactId>geronimo-javamail_1.4_spec</artifactId>
        <version>1.7</version>
    </dependency>
    <dependency>
        <groupId>org.jdom</groupId>
        <artifactId>jdom</artifactId>
        <version>1.1.3</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/org.fife.ui/rsyntaxtextarea -->
    <dependency>
        <groupId>org.fife.ui</groupId>
        <artifactId>rsyntaxtextarea</artifactId>
        <version>2.0.4.1</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.3.6</version>
    </dependency>

    <dependency>
        <groupId>xerces</groupId>
        <artifactId>xercesImpl</artifactId>
        <version>2.8.0</version>
        <exclusions>
            <exclusion>
                <artifactId>xml-apis</artifactId>
                <groupId>xml-apis</groupId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>4.13.2</version>
    </dependency>
    <dependency>
        <groupId>org.jdom</groupId>
        <artifactId>jdom</artifactId>
        <version>1.1.3</version>
    </dependency>
    <dependency>
        <groupId>jaxen</groupId>
        <artifactId>jaxen</artifactId>
        <version>1.1.4</version>
    </dependency>
     <dependency>
        <groupId>com.sun.xsom</groupId>
        <artifactId>xsom</artifactId>
        <version>20110809</version>
    </dependency>    
    <!-- End of SoapUI -->

    <!-- sftp lib -->
    <dependency>
      <groupId>com.hierynomus</groupId>
      <artifactId>sshj</artifactId>
      <version>0.32.0</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5 -->
    <dependency>
        <groupId>org.apache.httpcomponents.client5</groupId>
        <artifactId>httpclient5</artifactId>
        <version>5.0</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/io.xlate/staedi -->
    <dependency>
        <groupId>io.xlate</groupId>
        <artifactId>staedi</artifactId>
        <version>1.19.0</version>
    </dependency>
        <dependency>
        <groupId>javax.json</groupId>
        <artifactId>javax.json-api</artifactId>
        <version>1.1.4</version>
    </dependency>
    ofaydin
    @ofaydin
    @Hakky54 It's been too long to write like that. I couldn't find the file attachment. There is quite a library because it is a big project.
    Hakan Altındağ
    @Hakky54
    Thank you for sharing your dependencies which you have defined in your pom, however to help you I need the output of the maven dependency tree. Can you run: mvn dependency:tree on your terminal and share the output?
    The output could be very big, you can post it here vor example: https://gist.github.com/ or upload it to gdrive/wetransfer etc and share the link :)
    ofaydin
    @ofaydin
    I misunderstood when you said dependency tree, I thought you wanted pom/xml. When I saw the outputs of the maven defencey tree, I understood what I needed to do and edited the dependencies. I edited the conflicting bouncycastle and it worked. I am sharing the first and last version of dependency:tree, friends. it's first https://gist.github.com/ofaydin/db6b91e1d4b1502693a56cb82e2535f6 and last https://gist.github.com/ofaydin/fe43a154471b72a48e3b37d938f510fe
    @Hakky54 Thank you very much for your help. cidden ilgilendiğin için teşekkürler
    Hakan Altındağ
    @Hakky54
    Great! PemUtils relies on BouncyCastle and the issue you had could be caused by having different versions of BouncyCastle on your classpath. That was why I wanted to see your dependency tree. For example you depend on not-yet-commons-ssl which relies on an older version of BouncyCastle.
    Feel free to come over for any other questions :)
    Alex Devaux
    @alexcjcd

    Hi @Hakky54! First of all, love the library. It's really solved a lot of my SSL woes.

    I have a downstream service that recently moved behind HTTPS, but hasn't quite nailed down their certificate situation (mis-configured SANs or some such). In the meantime I'm trying to trust the IP directly, but the validator I've configured never seems to get triggered as no messages are logged.I'm sure I've just misunderstood how HTTPS works - should I not be expecting HTTPS requests to go through the checkTrustedServer trust manager methods during the SSL handshake?

    Here's what I'm doing to configure our SSL connections:

    private SSLFactory getSslFactory(KeyStore keystore) throws KeyStoreException {
    SSLFactory.Builder sslBuilder = SSLFactory.builder()
            .withDefaultTrustMaterial()
            .withTrustEnhancer((ChainAndAuthTypeWithSocketValidator) (chainCerts, authType, socket) -> {
                logger.info("socket remote address = {}", socket.getRemoteSocketAddress());
                return socket.getRemoteSocketAddress().toString().contains("1.1.1.1"); // <-- trying to trust IP explicitly
            });
    keystore.aliases().asIterator().forEachRemaining(alias -> {
      Certificate cert = keystore.getCertificate(alias); // <-- loading their cert, still get PKIX errors referencing no matching SAN for IP
      sslBuilder.withTrustMaterial(cert);
      logger.info("Loaded certificate '{}'", alias);
    });
    return sslBuilder.build();
}
    Hakan Altındağ
    @Hakky54
    Hi @alexcjcd thank you for your kind words. Can you also try to add the other trust enhancers with your custom implementation? There are two overloaded methods. And i have the feeling that the SSL engine is calling the other method of the trust manager
    Alex Devaux
    @alexcjcd
    You were right, it's the ChainAndAuthTypeWithSSLEngineValidator getting called instead. I'm sure I can rework things to use that one instead. Is that the intended behavior? I had intuited that any/all would be checked before handing off to the default behavior
    Alex Devaux
    @alexcjcd
    Or that's my misunderstanding - would HTTPS only ever hit the SSLEngine validator?
    Hakan Altındağ
    @Hakky54
    Great to hear the alternative is working. Which method being called is outside of the control of the library. I could have manipulate it, but I decided not to do it because the SSLSocket and SSLEngine would be than ignored when the end user wanted to do custom validation based on that object. The downside of that is that the end user needs to try out the tree options and check which one is actual being called and remove the other two calls from the SSLFactory builder.
    Hakan Altındağ
    @Hakky54

    Or that's my misunderstanding - would HTTPS only ever hit the SSLEngine validator?

    The JDK SSL Engine implementation has an algorithm to decide which method should be called from the Trustmanager. That is a black box for me, but i think it is worth to investigate that part so I will be able to answer your question 😁 So I don't know which of the three methods will be called... But I am pretty sure that 99% of the cases it would be ChainAndAuthTypeWithSSLEngineValidator As the Socket, which is being used by ChainAndAuthTypeWithSocketValidator, is the older and SSLEngine is the newer one.

    Alex Devaux
    @alexcjcd
    Thanks for taking the time to write this out, may end up looking into that black box myself. 🙂
    My problem is solved now that I'm using the right validator. Thanks again!