92

I received this error while trying to start up an application: 

Sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException:  java.net.UnknownHostException:oscp.thawte.com

The application is behind a closed network and won't ever be able to get to oscp.thawte.com. Is there a java setting that can disable this?

Tim
  • 2,147
  • 4
  • 17
  • 20

7 Answers7

77

-Dcom.sun.net.ssl.checkRevocation=false

Nakilon
  • 34,866
  • 14
  • 107
  • 142
MK.
  • 33,605
  • 18
  • 74
  • 111
  • 6
    Where should I execute this? – nyanev Jan 20 '14 at 09:06
  • 2
    it is a command line parameter for the JVM. You can also set it programmatically http://stackoverflow.com/questions/5189914/setting-system-property – MK. Jan 21 '14 at 03:37
  • Using OpenJDK 6 this isn't working to me. (it's probably Sun-specific) – lapo May 20 '15 at 17:11
  • 1
    well it is referenced in OpenJDK code http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/37a05a11f281/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java Try to check which TrustManager you are using. – MK. Sep 17 '15 at 13:59
  • Hi! I tried to set this in my `MAVEN_OPTS` environment variable on windows 7, so that my `mvn` could connect to a private repo w/o SSLHandshake ex. It did not work for me though. Any Ideas? – Chesser May 09 '17 at 04:41
  • I think Maven is special, see this question http://stackoverflow.com/questions/21252800/how-to-tell-maven-to-disregard-ssl-errors-and-trusting-all-certs – MK. May 10 '17 at 13:13
  • 29
    Doesn't work with Java 8 for me. I used System.setProperty("com.sun.net.ssl.checkRevocation", "false") in my code. The property does get set but has no effect. – Kumar Vaibhav Mar 23 '18 at 21:19
  • does this work? https://web.archive.org/web/20180104182116/https://log.rowanto.com/java-8-turning-off-ssl-certificate-check/ – MK. Mar 23 '18 at 22:22
  • 1
    I'm using openjdk version "1.8.0_292" OpenJDK Runtime Environment (build 1.8.0_292-b10) this option doesn't seem to work – HoaPhan Jun 08 '21 at 01:00
23

Not exactly a setting but you can override the default TrustManager and HostnameVerifier to accept anything. Not a safe approach but in your situation, it can be acceptable.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
RealHowTo
  • 34,977
  • 11
  • 70
  • 85
17

In addition to the answers above. You can do it programmatically by implementing the TrustManager:

TrustManager[] trustAllCerts = new TrustManager[] {
        new X509TrustManager() {
          public java.security.cert.X509Certificate[] getAcceptedIssuers() {
           return null;
          }
          @Override
          public void checkClientTrusted(X509Certificate[] arg0, String arg1)
           throws CertificateException {}

          @Override
          public void checkServerTrusted(X509Certificate[] arg0, String arg1)
            throws CertificateException {}
          }
     };

  SSLContext sc=null;
  try {
   sc = SSLContext.getInstance("SSL");
  } catch (NoSuchAlgorithmException e) {
   e.printStackTrace();
  }
  try {
   sc.init(null, trustAllCerts, new java.security.SecureRandom());
  } catch (KeyManagementException e) {
   e.printStackTrace();
  }
  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
  // Create all-trusting host name verifier
  HostnameVerifier validHosts = new HostnameVerifier() {
  @Override
  public boolean verify(String arg0, SSLSession arg1) {
   return true;
  }
  };
  // All hosts will be valid
  HttpsURLConnection.setDefaultHostnameVerifier(validHosts);

However this is not a good practice for production.

This example on How to disable SSL certificat validation in Java contains a utility class you can copy in your project.

Mehdi
  • 1,340
  • 15
  • 23
10

Use cli utility keytool from java software distribution for import (and trust!) needed certificates

Sample:

  1. From cli change dir to jre\bin

  2. Check keystore (file found in jre\bin directory)
    keytool -list -keystore ..\lib\security\cacerts
    Enter keystore password: changeit

  3. Download and save all certificates chain from needed server.

  4. Add certificates (before need to remove "read-only" attribute on file "..\lib\security\cacerts") keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file "r:\root.crt"

accidentally I found such a simple tip. Other solutions require the use of InstallCert.Java and JDK

source: http://www.java-samples.com/showtutorial.php?tutorialid=210

Алексей Присяжный
  • 853
  • 9
  • 14
3

On my Mac that I'm sure I'm not going to allow java anyplace other than a specific site, I was able to use Preferences->Java to bring up the Java control panel and turned the checking off. If DLink ever fixes their certificate, I'll turn it back on.

Java control panel - Advanced

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Steve Heffern
  • 97
  • 3
2

In Axis webservice and if you have to disable the certificate checking then use below code:

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");

Willi Mentzel
  • 27,862
  • 20
  • 113
  • 121
Shirishkumar Bari
  • 2,692
  • 1
  • 28
  • 36
-6

It is very simple .In my opinion it is the best way for everyone 

       Unirest.config().verifySsl(false);
       HttpResponse<String> response = null;
       try {
           Gson gson = new Gson();
           response = Unirest.post("your_api_url")
                   .header("Authorization", "Basic " + "authkey")
                   .header("Content-Type", "application/json")
                   .body("request_body")
                   .asString();
           System.out.println("------RESPONSE -------"+ gson.toJson(response.getBody()));
       } catch (Exception e) {
           System.out.println("------RESPONSE ERROR--");
           e.printStackTrace();
       }
   }
Eldor
  • 1
  • Are you sure this will help? I'm not sure if the poster is trying to make a ws call himself. – Stan Apr 19 '20 at 09:21