0

I'm using the ClientRequest library to perform a 'GET' request however I'm running into a certificate error:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_40]
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
    at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) [resteasy-jaxrs-2.3.6.Final-redhat-1.jar:2.3.6.Final-redhat-1]

Since this is just a test environment, I want to be able to ignore or accept all certificates over https. (I know this defeats the purpose of ssl.) Any pointers in the right direction is much appreciated!

    ClientRequest request = new ClientRequest(someURL.toString());
    ClientResponse<SomeClass> response = null;
    response = request.get(SomeClass.class);
    response.getEntity();
user459811
  • 2,874
  • 10
  • 37
  • 63
  • 1
    Sample here: http://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclient-4-0 – Alexandre Santos May 21 '14 at 21:23
  • @AlexandreSantos, why suggest *ignoring* a certificate error? Certificates are there for a reason. – Bruno May 21 '14 at 22:06
  • READ THE POST: Since this is just a test environment, I want to be able to ignore or accept all certificates over https. – Alexandre Santos May 21 '14 at 22:13
  • @AlexandreSantos, fair enough, but even in a test environment, it's better to test with actual certificates. At least, insecure code doesn't make it in production by mistake (it's quite easy to forget to remove code that hides errors that would otherwise be important to flag in production). – Bruno May 22 '14 at 01:31
  • This worked for me: http://stackoverflow.com/questions/19517538/ignoring-ssl-certificate-in-apache-httpclient-4-3 – user459811 May 31 '14 at 00:39

1 Answers1

1

Since you're using Apache HTTP Client, with a certificate that's not trusted by default, this exception has the same cause as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed" in most other uses of SSLSocket (see this answer for details): essentially, it's an indication that your certificate isn't trusted.

Instead of ignoring the error (by adding specific code to bypass any certificate validation, code you may forget about when you get closer to the release deadline), import your custom certificate in your truststore. For example, create a local copy of the cacerts file bundled with your JRE, use keytool to import your custom certificate, and point the javax.net.ssl.trustStore system property (and related properties) to that file when you start your JVM.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    Exactly. Don't fall for this trap of "it's only for testing". What you're supposed to be testing is the real system, not some kludge. And if you don't build security breaches into your application, you can't deploy them, even if you forget. – user207421 May 22 '14 at 02:02