0

I am writing an Android client that must connect to an SSL server. Is there any way to set up the TrustStore so that it trusts any certificate that the SSL server sends over? Or is it really the case that I must somehow get the SSL server certificate and use some cryptic command line command to put this into a trust store file on my client?

Marc
  • 3,386
  • 8
  • 44
  • 68
  • 2
    You are aware of the security implications this would have? – Henry Aug 13 '13 at 06:16
  • 2
    Do you want to really trust all server certificates, no matter from which server it comes from which I think is definitely no good idea or do you want to trust the server certificates from one specific server that you maybe set up by your own and you know you can trust? – u6f6o Aug 13 '13 at 07:38
  • You can't accomplish this with a trust store, by definition, and you don't want to. – user207421 Aug 29 '20 at 11:56

1 Answers1

-1

First create the file TrustAllManager.java:

package my.package;

import javax.net.ssl.X509TrustManager;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

public class TrustAllManager implements X509TrustManager {
    @Override
    public void checkClientTrusted(
        X509Certificate[] x509Certificates, 
        String s) throws CertificateException { }

    @Override
    public void checkServerTrusted(
        X509Certificate[] x509Certificates, 
        String s) throws CertificateException { }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}

And then use it in your code:

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { new TrustAllManager() }, null);
SSLContext.setDefault(sslContext);

You have to be aware of the implications, like someone could for example edit /etc/resolv.conf or change the settings of your router and your application would still think it is talking to a trusted server.

In my case I did it to support older Android 4 phones (like "Samsung Galaxy S3" built in 2012), which did not trust the "DigiCert Global Root G2" CA who issued certificates (in 2019) for my three app backends. Since I also used the nv-websocket-client library in my app, I had to add the following lines as well:

WebSocketFactory wsFactory = new WebSocketFactory();
wsFactory.setSSLContext(sslContext);
wsFactory.setVerifyHostname(false);

And for completeness I've also seen the following line being used too:

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
Alexander Farber
  • 21,519
  • 75
  • 241
  • 416
  • The question was how to do it with a truststore, not with code. – user207421 Aug 29 '20 at 11:56
  • I don't see "not with code" in the question text. – Alexander Farber Aug 29 '20 at 12:19
  • Come off it. ' Is there any way to set up the TrustStore?' There is nothing in your answer that sets up a truststore at all. It *replaces* the trusttore, with a radically insecure `TrustManager`. – user207421 Aug 29 '20 at 12:42
  • And yet you've closed the question as a supposed duplicate of [the question where most of the answers use code](https://stackoverflow.com/questions/1219208/is-it-possible-to-get-java-to-ignore-the-trust-store-and-just-accept-whatever). – Alexander Farber Aug 29 '20 at 13:14