Is it possible to convince a Java application to ignore SSL issues without modifying its code?

Question

I have some java apps that are complaining about different SSL problems like self signed certificate or not trusted ones.

As I do not have the code of these apps and getting good certificates is too hard, I am looking for a solution that would allow me to force it to connect.

So far I tried these but it seems not to be enough:

-Dcom.sun.net.ssl.checkRevocation=false 
-Djava.security.debug=certpath

I still see:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Have you tried setting a keystore, http://stackoverflow.com/questions/5871279/java-ssl-and-cert-keystore — artbristol, Oct 23 '12 at 12:23
That's the other approach which doesn't seem to always work. — sorin, Oct 23 '12 at 12:25

score 7 · Answer 1 · answered Oct 23 '12 at 12:45

Code modifications to ignore certificate validation errors by ignoring trust verification altogether (e.g. using a trust manager that does nothing) are normally not the right way to go. They may be popular with some developers, because they don't have to go through any steps about dealing with certificates, but they're just ignoring the problem instead of fixing it, thereby also introducing vulnerabilities to MITM attacks. (Because the problem is then silenced, it tends never to be fixed in production releases.)

The various ways to configure trust management are described in the JSSE Reference Guide.

In short, you can either import the certificates explicitly into the JRE truststore (usually cacerts file in the JRE directory) or by using importing it into your own trust store (possibly based on a copy of the default trust store), and specifying its path using the javax.net.ssl.trustStore (and related) system properties (see JSSE Ref Guide).

These configuration settings will affect all the SSLSockets and SSLEngines that use the default settings themselves (without any specific SSLContext in the code).

Some applications use their own SSLContext to load a specific keystore or truststore for certain connections. This is usually configured with parameters that are independent of the JSSE default options, in which case you'll have to check the application documentation or code.

score 6 · Answer 2 · edited May 23 '17 at 12:34

http://code.google.com/p/misc-utils/wiki/JavaHttpsUrl provides several invasive solutions.

SSLSocketFactory can be overridden with system property.

But custom HostnameVerifier can be endorsed only with special java agent via additional startup parameter or on the fly.

Furthermore, AspectJ weaving agent can be used to override any method behavior.

Also consider alternative approach with MiTM HTTPS proxy (if application allows reconfiguring urls and certificates).

score -2 · Answer 3 · answered Mar 01 '19 at 16:53

-2

Yes it is possible.

Using JVM args :

-Dcom.sun.net.ssl.checkRevocation=false

Or programarically:

You can override the default TrustManager and HostnameVerifier . This link give reusable code example.

answered Mar 01 '19 at 16:53

Mehdi

1,340
15
23

Is it possible to convince a Java application to ignore SSL issues without modifying its code?

3 Answers3