0

For development purposes only, I'm trying to force java to accept the SSL certificate from our server. In c# I am able to do this:

    public class MyPolicy : ICertificatePolicy
    {
        public bool CheckValidationResult(
          ServicePoint srvPoint
        , X509Certificate certificate
        , WebRequest request
        , int certificateProblem)
        {

        //Return True to force the certificate to be accepted.
        return true;

        } // end CheckValidationResult
    } // class MyPolicy

And instantiate it prior to connecting to the server as such:

System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

Is there a similar solution in Java?

Dave
  • 1,645
  • 2
  • 23
  • 39

2 Answers2

2

For development purposes only, I'm trying to force

'For development purposes only' you are very ill-advised to attempt any such thing. Your development is worthless until it works correctly, i.e. properly, i.e. in this case handles the certificates correctly. Building bandaids is just a waste of time, and building bandaids on top of security issues is a major security risk that you shouldn't even be contemplating. I have a nasty suspicion that many of these 'bandaids' find their way by commission or omission into production, and that many of the world's SSL- and HTTPS-based systems are radically insecure as a result. Don't join them. Understand why you are having the problem and fix the problem.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • You bring up a good point, but I'm afraid I'm not in the position to make these decisions. – Dave Jun 28 '12 at 15:35
  • @Dave I think you are. I think you should raise it with your management or customer as (a) a security risk and (b) a diversion from the goal and therefore an avoidable cost. – user207421 Jun 28 '12 at 21:31
1

The right way is to import this certificate in your trust store. (I know... it's only development code, but we all know that we sometimes forget to remove bits of unnecessary code sometimes under pressure, once it works.)

The less ideal way is to build a trust manager that doesn't verify anything.

If you do it the right way, you might not have to deal with the SSLContext manually (to create your SSLSocketFactory and configure your client with it): the default location or the system properties might be sufficient.

If you want a custom trust manager, you will have to create your own SSLContext (it can make sense to initialise an SSLContext from a specific trust store if you do it the right way too, absolutely nothing wrong with that.)

You can find more details about this in this answer (except that you won't need what's Restlet-specific).

How you pass that SSLContext (or resulting SSLSocketFactory) to your application depends on the framework you're using.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376