4

I am writing a Java proxy which communicates to other servers using SSL. It all works well using ServerSocketFactory along with keystore and trustore which is populated with the server cert.

I wonder, is there a way in Java 7 to disable the certification and trust all servers? (and yes I know this is risky - bu the proxy is for internal use only)

I have seen some examples of implementing TrustManager using X509TrustManager implementation, although apparently Java 7 does not support these contracts and X509TrustManager itself has been deprecated.

Appreciate your advise and any code sample on Java 7 that works.

Uri Lukach
  • 1,093
  • 1
  • 14
  • 28
  • 1
    If you don't want it secure why use SSL at all? – user207421 Dec 19 '13 at 11:50
  • 2
    `X509TrustManager` deprecated? Where did you see that? Sure, there's a new `X509ExtendedTrustManager`, but I'm not aware of the older interface to be deprecated. These empty trust managers still work with Java 7 (although it's rarely a good idea to use them...) – Bruno Dec 19 '13 at 14:17
  • You are right, it seems that there are two implementations of X509TrustManager, one under javax.net.ssl and the other (older) under com.sun.net.ssl which is deprecated – Uri Lukach Dec 19 '13 at 14:36
  • EJP, when you write a proxy you monitor traffic which can be from numerous vendors which chosen HTTPS, you question assumes we monitor all our servers which is not the case – Uri Lukach Dec 19 '13 at 15:10
  • 1
    You're not really meant to use any of the `com.sun.*` classes directly. They're not part of the Java public API. If they're used, they're used internally by various providers specific to the JRE you're using. – Bruno Dec 19 '13 at 17:02

2 Answers2

1

MITM proxy servers (i.e. servers capable of looking into SSL/TLS traffic) normally use their own CA to generate fake certificates for the requested site.

Install this CA certificate in your client's trust store instead of tweaking the code. This is a much cleaner solution, and in the long run, it's easier to deploy.

(For a more direct answer to your question, the countless example of trust managers that do nothing still work fine in Java 7.)

Bruno
  • 119,590
  • 31
  • 270
  • 376
0

What I did was implementing a java.security.Provider using the code mentioned in this post

https://code.google.com/p/misc-utils/wiki/JavaHttpsUrl

Note: it is the second solution offered.

This post does not mention that you should also add a keystore in-order to make things work. So, these VM argument should be set as well (Unless so you will get an error message of "no cipher suites in common"): 

                -Djavax.net.ssl.keyStore=KEYSTORE LOCATION
                -Djavax.net.ssl.keyStorePassword=YOUR PASS

I hope this will help you, since in all the places I looked at this part was not mentioned.

Uri Lukach
  • 1,093
  • 1
  • 14
  • 28
  • You seem to have a really awkward setup. Firstly, using a custom `x509TrustManager` (that never throw exception) in your own `SSLContext` still works fine with Java 7. Secondly, the `javax.net.ssl.keyStore` have absolutely nothing to do with trust settings. From what you describe, this would only be useful on the server side (to configure the server certificate). – Bruno Dec 22 '13 at 13:47
  • This proxy serves LAN environment inside the org while monitoring many servers traffic. It is not be used outside in the public domain, besides that my purpose was not needing to add new cert to the trustore each time a new server needs to be monitored. Setting a keystore is a one time operation I must do, unless so "cipher" exceptions are thrown. – Uri Lukach Dec 23 '13 at 12:11
  • I'm not sure you have looked at the difference between a keystore used as a keystore and one used as a truststore. "*no cipher suites in common*" typically happens when no *keystore* was set up, on the server side (this has nothing to do with the trust store or the trust managers). – Bruno Dec 23 '13 at 12:30
  • Hi Bruno I warmly recommend you to read this post it explains the different between ketstore and trustore: http://stackoverflow.com/questions/318441/truststore-and-keystore-definitions Please read fully, it's a great post... – Uri Lukach Dec 23 '13 at 13:16
  • Uri, I know [quite well](http://stackoverflow.com/a/6341566/372643) the difference between a keystore and a truststore. I'm saying you don't seem to know yourself. My point was that you should only need that keystore settings on your own proxy server, not on your clients. – Bruno Dec 23 '13 at 17:15
  • Hi Bruno, I am well aware of the difference, thanks for caring and for assisting in this post. – Uri Lukach Dec 24 '13 at 08:28