7

I've been testing a system that accesses a group of https servers with different keys, some of which are invalid and all of them are not in the local key store for my JVM. I am really only testing things out, so I don't care about the security at this stage. Is there a good way to make POST calls to the server and tell Java not to worry about the security certificates?

My google searches for this have brought up some code examples that make a class to do the validation, that always works, but I cannot get it to connect to any of the servers.

justinhj
  • 11,147
  • 11
  • 58
  • 104
  • Thanks BalusC that works perfectly. I tried 3 or 4 that compiled and ran fine but did not work. Could you make this an answer? – justinhj May 02 '10 at 03:50
  • Done. But in the future please mention right in the question which examples exactly you tried along with links :) – BalusC May 02 '10 at 04:31

2 Answers2

7

As per the comments:

With Googled examples, you mean among others this one?

Update: the link broke, so here's an extract of relevance which I saved from the internet archive:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
        public void checkServerTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {

}

// Now you can access an https URL without having the certificate in the truststore
try {
    URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {

}
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 1
    @Bevor: Right. I updated the answer. [Wayback machine](http://archive.org/web/) was [helpful](http://web.archive.org/web/20121022013056/http://exampledepot.com/egs/javax.net.ssl/TrustAll.html). – BalusC Nov 03 '13 at 17:56
  • BTW, there is a way to alter default SSL factory via command line without modifying the app: https://stackoverflow.com/questions/2762080/how-to-ignore-expired-certificates-from-outside-a-java-application/55334566#55334566 – Vadzim Mar 25 '19 at 12:38
0

You need to create a X509TrustManager which bypass all the security check. You can find an example in my answer to this question,

How to ignore SSL certificate errors in Apache HttpClient 4.0

Community
  • 1
  • 1
ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
  • 2
    And you then need to throw it away. There's no point in writing security code and then testing it in an insecure way. Fix the *problem*. If you don't want security, don't use SSL. I tremble to think how many times this thing has gone into production. – user207421 May 03 '10 at 00:28
  • 2
    @Daniel then your production system is insecure. You need to read the remarks about this in RFC2246. This is a very serious matter. – user207421 May 16 '11 at 02:19