Is "ssl trust all certificates" enabled by default for Java URLConnection?

Asked Oct 03 '17 at 08:53

Active Oct 03 '17 at 09:45

Viewed 345 times

Is "ssl trust all certificates" enabled by default in case of Java URLConnection which is not the case with Apache HttpClient?

I'm using a self-signed certificate and is hosted locally (127.0.0.1).

edited Oct 03 '17 at 09:45

asked Oct 03 '17 at 08:53

2

No. By default it uses the system's trust store (which can be configured in various ways). – Thilo Oct 03 '17 at 08:56
But, my system's trust store doesn't have the required certificate and still, it's able to make a successful request whereas Apache httpClient is throwing SSLHandshakeException. – Krishna Chaithanya Ganta Oct 03 '17 at 09:02
2

You could use `-Djavax.net.debug=ssl:handshake` to see what certificates are **really** used. By default the *cacerts* of the JRE is used, the difference could be use of SNI? I'd advice to check first what is realyl used. – gusto2 Oct 03 '17 at 09:19
Your system doesn't need the 'required certificate', unless it is self-signed. It only needs the certificate of one of the signers in the CA chain. – user207421 Oct 03 '17 at 09:40
1

So show us your code. – user207421 Oct 03 '17 at 09:51

0 Answers0