14

There is a webservice protected by a certificate. In the client code which calls it, the certificate's CA has to present in the truststore (JRE_path\lib\security\cacerts) - if not, you get the PKIX exception on the client side.

What happens if the certificate has expired - the the client code fails.

However, this can be bypassed by adding the certificate directly into the truststore - Trusting an expired certificate

i.e. if the certificate itself and not the CA is present in the truststore, then everything works even if the certificate has expired.

In my scenario, the webservice certificate is a self-signed one, so I anyway had to add it to the truststore, and the client continues to work fine even when the cert has expired.

Now my question is will this work in all scenarios - my program is just a command line program running of a local JRE.

In case there is an application calling the webservice and the application is running on Websphere, JBoss, WebLogic, Tomcat, Glassfish etc and the self signed cert is added to truststore of that environment, can I still assume that it will continue to work (not give expired errors)?

I assume it would work - because those application servers would also use a JRE just like any program - or am I missing something?

Community
  • 1
  • 1
user93353
  • 13,733
  • 8
  • 60
  • 122
  • 5
    If you don't want it secure, don't use HTTPS. If you do want it secure, don't try to cherry-pick your own security features. – user207421 Jul 02 '15 at 10:25
  • like @EJP said: it is usually not a good idea to weaken security. But often we as programmers too have to prevent applications from failing silently. So you should either make sure that if the program fails the reason will become clear to any administrator looking into this issue or you could try to catch exceptions that occur from expired certificates or force from inside your code which certificates are accepted: http://stackoverflow.com/questions/6659360/how-to-solve-javax-net-ssl-sslhandshakeexception-error – Marged Jul 03 '15 at 08:06
  • If you have openssl command on your environment (install it). you can use it as background cmd background application with [date check](http://stackoverflow.com/questions/21297853/how-to-determine-ssl-cert-expiration-date-from-a-pem-encoded-certificate#answer-21297927) and read the result – Ali Helmy Jul 12 '15 at 00:23
  • @AliHelmy How will that help? – user93353 Jul 12 '15 at 04:13

2 Answers2

1

You can bypass all certificates by below code 

try {
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }

                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }
            } };
            SSLContext sc = SSLContext.getInstance("SSL");
            sc.init(null, trustAllCerts, new java.security.SecureRandom());

            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
            HostnameVerifier allHostsValid = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            };
            SSLContext.setDefault(sc);
            HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            LOGGER.debug("All Certificates Have Been Trusted Successfully.");
        } catch (KeyManagementException ex) {
            LOGGER.error("Error:",ex);
        } catch (NoSuchAlgorithmException ex) {
            LOGGER.error("Error:",ex);
        }
Ali Helmy
  • 784
  • 6
  • 18
  • I know this. However, that's not what I am looking for. – user93353 Jul 10 '15 at 17:56
  • Can you clarify more what you want – Ali Helmy Jul 10 '15 at 17:59
  • I want to know if expiry of self signed certificates is always ignored if the self signed cert is present in the trust store – user93353 Jul 10 '15 at 19:05
  • This does not 'bypass all certificates'. It merely *trusts* all certificates. The OP needs to remove the expiration checks which occur before this could would be called. And it is insecure. @user93353 No, the expiration and validity are always checked. – user207421 Jul 12 '15 at 00:03
  • @EJP - I do not need any code which removes expiration checks. I just need to know if expiry checks are ignored if self signed cert is present in trust store. I checked with a command line program and java trust store and it is ignored. I want to know if it's also ignored with Websphere, Weblogic and other popular app servers – user93353 Jul 12 '15 at 04:16
  • Can you read [this article]( http://www.javacodegeeks.com/2011/12/ignoring-self-signed-certificates-in.html) carefully – Ali Helmy Jul 12 '15 at 05:42
  • @AliHelmy - I have read it - but I am not sure how it solves my problem. I am not looking for code. I am looking for an answer to the following question - if I add a self signed certificate to the trust store, will the certificate still be trusted after it's expired - or will it throw an exception. I am not looking for how to ignore the check. I am looking for an answer(if there is one) as to whether the expiry check will be done in weblogic, websphere and other popular app servers. I am not looking to bypass the check. I know the check is not done for the default java trust store. – user93353 Jul 12 '15 at 08:45
1

To answer your question: "If I add a self signed certificate to the trust store, will the certificate still be trusted after it's expired - or will it throw an exception?"

It will still be trusted (at least within java's cacerts trust store). See https://softwareengineering.stackexchange.com/a/308538

Brice Roncace
  • 10,110
  • 9
  • 60
  • 69