6

How can I disable certificate validation in java 8. I am trying to use https to connect to an other server but I keep getting this error:

Exception while providing content: [Thread[RMI TCP Connection(8)-192.168.56.1,5,RMI Runtime], 1549283885696] de.innovas.iaf.base_common.exceptions.NonRecoverableException: CT_0001_0[javax.xml.ws.soap.SOAPFaultException: Marshalling Error: com.sun.istack.SAXException2: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
[Thread[RMI TCP Connection(8)-192.168.56.1,5,RMI Runtime], 1549283885696] de.innovas.iaf.base_common.exceptions.NonRecoverableException: CT_0001_0[javax.xml.ws.soap.SOAPFaultException: Marshalling Error: com.sun.istack.SAXException2: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:161)
at com.sun.proxy.$Proxy511.generatePdf(Unknown Source)

I tried to fix it by using -Dcom.sun.net.ssl.checkRevocation=false which i found here. I also tried adding my own certificate to the pool using Java Keytool. Both ideas didn't change anything. The problem might be that I generated my own certificate with openssl. That cant be signed by anyone which my result in the error.

It would be nice if I could simply disable SSL checks for testing purposes only. In a production scenario I will have a signed certificate.

Abdul Hoque Nuri
  • 1,105
  • 1
  • 9
  • 18
Tobias
  • 319
  • 1
  • 3
  • 18

1 Answers1

7

It is not advised to disable certificate validation unless it is only for testing purposes. How are you invoking the service in the first place?

If you are using Apache HttpClient:

SSLContext context = SSLContext.getInstance("TLSv1.2");
TrustManager[] trustManager = new TrustManager[] {
    new X509TrustManager() {
       public X509Certificate[] getAcceptedIssuers() {
           return new X509Certificate[0];
       }
       public void checkClientTrusted(X509Certificate[] certificate, String str) {}
       public void checkServerTrusted(X509Certificate[] certificate, String str) {}
    }
};
context.init(null, trustManager, new SecureRandom());

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(context,
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

HttpClient client = HttpClientBuilder.create().setSSLSocketFactory(socketFactory).build();

If you are using HttpsURLConnection: 

SSLContext context = SSLContext.getInstance("TLSv1.2");
TrustManager[] trustManager = new TrustManager[] {
    new X509TrustManager() {
       public X509Certificate[] getAcceptedIssuers() {
           return new X509Certificate[0];
       }
       public void checkClientTrusted(X509Certificate[] certificate, String str) {}
       public void checkServerTrusted(X509Certificate[] certificate, String str) {}
    }
};
context.init(null, trustManager, new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
animaonline
  • 3,715
  • 5
  • 30
  • 57
Prasann
  • 1,263
  • 2
  • 11
  • 18
  • Thanks for your response. Actually the problem is that i do not really know how i am invoking the service. I know that its a SOAP Webservice but i dont know anything else. Actually i would prefer not changing any code. If thats not possible where do i have to change the parts that you mentioned above? – Tobias Feb 04 '19 at 14:02
  • 4
    Setting the JVM property `-Dcom.sun.net.ssl.checkRevocation=false` should work, but I can't get that working either for some reason and because of that I had to modify code as I have explained in my answer. Have you verified if this parameter is part of all the the JVM parameters when the server has started? – Prasann Feb 04 '19 at 14:31
  • [This older example](https://nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/) advises to also install an all-trusting `HostnameVerifier` on the `HttpsURLConnection`. What's up with that? – Philzen Feb 10 '22 at 03:08
  • `ALLOW_ALL_HOSTNAME_VERIFIER` is deprecated. You must use `NoopHostnameVerifier.INSTANCE` – trilogy Apr 25 '22 at 16:48