8

I need to crawl internal company site that has expired/self-signed certificate. Noone is ever going to configure valid certificate for that host, so I have to use insecure connection.

curl has --insecure flag for that purpose,

Scala finagle library has .tlsWithoutValidation() mode.

QUESTION: Is there a Kotlin library that has similar option?

UPD: so far I am using Fuel with the javish workaround found here but still searching for better ways..

fun useInsecureSSL() {

    // Create a trust manager that does not validate certificate chains
    val trustAllCerts = arrayOf<TrustManager>(object : X509TrustManager {
        override fun getAcceptedIssuers(): Array<X509Certificate>? = null
        override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String) = Unit
        override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) = Unit
    })

    val sc = SSLContext.getInstance("SSL")
    sc.init(null, trustAllCerts, java.security.SecureRandom())
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.socketFactory)

    // Create all-trusting host name verifier
    val allHostsValid = HostnameVerifier { _, _ -> true }

    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid)
}

The above workaround works however it is too verbose and seems to set insecure mode for every connection made by my app, not only for the particular one.

ludenus
  • 1,161
  • 17
  • 30
  • Most HTTP client libraries should have a way to do this. For example, Apache HttpClient: https://stackoverflow.com/questions/39922714/ignore-self-signed-certificates-in-apache-httpclient-4-5. – Oliver Charlesworth Nov 23 '17 at 16:52
  • 2
    That is true. But all those java libraries require huge amount of boilerplate code instead of one single option, in order to disable ssl certificate validation. That is why the question is specifically about Kotlin library. – ludenus Nov 23 '17 at 17:03

1 Answers1

6

Fuel allows you to create your own instance of the Fuel client through the FuelManager class. The manager lets you can set your own HostnameVerifier and SSLSocketFactory and then creates a client with those configured. See https://github.com/kittinunf/Fuel/blob/1.16.0/fuel/src/main/kotlin/com/github/kittinunf/fuel/core/FuelManager.kt#L31-L43

val manager : FuelManager = FuelManager().apply {
  val trustAllCerts = arrayOf<TrustManager>(object : X509TrustManager {
    override fun getAcceptedIssuers(): Array<X509Certificate>? = null
    override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String) = Unit
    override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) = Unit
  })

  socketFactory = SSLContext.getInstance("SSL").apply {
    init(null, trustAllCerts, java.security.SecureRandom())
  }.socketFactory

  hostnameVerifier = HostnameVerifier { _, _ -> true }
}

Then to check that only connections that goes through this custom FuelManager is untrusted and connections that don't are trusted, we do this:

val (_, untrustedResp, untrustedResult) = manager.request(Method.GET, "https://internal/company/site").response()
assert(untrustedResp.statusCode == 200)
val (bytes, _) = untrustedResult
assert(bytes != null)


val (_, trustedResp, trustedResult) = "https://internal/company/site".httpGet().response()
assert(trustedResp.statusCode != 200)
val (bytes, error) = trustedResult
assert(bytes == null)
println(error) // javax.net.ssl.SSLHandshakeException: PKIX path building failed: ...

The custom FuelManager was able to make the request successfully because it trusts all certs but for the connection that didn't use the custom manager, we can see that it returns with javax.net.ssl.SSLHandshakeException.

Jason Yeo
  • 3,602
  • 3
  • 30
  • 38