How to get around web service over https giving back a SSLHandshaking error?

Question

I am attempting to hit a remote server via a get/post web service call over SSL. I am using apaches HttpClient in the following manner:

HttpClient client = new HttpClient();
client.getHostConfiguration().setProxy("my_host", 443);
Credentials defaultcreds = new UsernamePasswordCredentials("dev", "password");
client.getState().setCredentials(new AuthScope("my_host", 443, AuthScope.ANY_REALM),  defaultcreds);

// Create a method instance.
GetMethod method = new GetMethod(url);

// Provide custom retry handler is necessary
method.getParams().setParameter(HttpMethodParams.RETRY_HANDLER,
    new DefaultHttpMethodRetryHandler(3, false));

try {
    // Execute the method.
    int statusCode = client.executeMethod(method);

if (statusCode != HttpStatus.SC_OK) {
    System.err.println("Method failed: " + method.getStatusLine());
}

    // Read the response body.
    byte[] responseBody = method.getResponseBody();

// Deal with the response.
// Use caution: ensure correct character encoding and is not binary data
System.out.println(new String(responseBody));

} catch (HttpException e) {
    System.err.println("Fatal protocol violation: " + e.getMessage());
e.printStackTrace();
} catch (IOException e) {
    System.err.println("Fatal transport error: " + e.getMessage());
e.printStackTrace();
} finally {
    // Release the connection.
    method.releaseConnection();
}

It seems to work in POSTER, but I know that the certificates are located in the browser, and that is handling all authentication and certificate handling. I need to write the code to get this response to be used elsewhere. Any ideas? And is this going to be a problem when the code is pushed onto the server? (Will it need a different certificate).

EDIT: Here is the added error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Answer 1

The proper way to solve this is to add the hosts CA to your JVMs truststore (<jre directory>/lib/security/cacerts). You can get the CA certificate by browsing to the hosts URL in a browser, viewing the certificate for the site (normally done by clicking the lock icon next to the URL in the browser), and exporting the CA to a file. Once you have the .crt file, you can import it to cacerts using the keytool command line tool:

keytool -keystore cacerts -importcert -alias someName -file yourCertFilename

When prompted for a password, the default is changeit

If you'd prefer not to add the CA to the default truststore, you can create your own truststore file use SSLSocketFactory to pass it to the HttpClient when you create it.

keytool -keystore myTrustStore.jks -importcert -alias someName -file yourCertFilename

Enter a password of your choice when prompted.

KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("myTrustStore.jks"), trustStorePassword);
SSLSocketFactory sf = new SSLSocketFactory(trustStore);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);
HttpClient httpClient = new DefaultHttpClient(cm);

(The code above is off the top of my head and hasn't been tested, but it should give you the idea.)

Alternatively, if you want HTTPClient to just bypass certificate validation altogether (I don't recommend it), you can create a TrustManager that will trust any certificate like this.