6

I'm trying to create some sample Java projects that connect to a self-signed HTTPS server. I can't seem to get Java to stop trying to validate the certificate. I don't want to have to trust this certificate, I just want to ignore all certificate validation altogether; this server is inside my network and I want to be able to run some test apps without worrying about whether the certificate is valid.

java -Dcom.sun.net.ssl.checkRevocation=false HelloWorld
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The -Dcom.sun.net.ssl.checkRevocation=false didn't help. I also tried adding the following code:

public static void DisableCertificateValidation() {
  TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
      public X509Certificate[] getAcceptedIssuers() { return null; }
      public void checkClientTrusted(X509Certificate[] certs, String authType) { }
      public void checkServerTrusted(X509Certificate[] certs, String authType) { }
    }
  };
  try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
  } catch (Exception e) {
  }
}

But still have the same issue. What's going on here?

Jay Sullivan
  • 17,332
  • 11
  • 62
  • 86

2 Answers2

10

org.apache.axis2.AxisFault indicates that you're using Axis 2, and Axis 2 doesn't use HttpsURLConnection to make its HTTP(S) connections, but Apache HttpClient (3.x as far as I know), so HttpsURLConnection.setDefaultSSLSocketFactory(...) will have no effect there.

You can have a look at this answer about setting up an SSLContext for Axis 2, more specifically, this document: http://axis.apache.org/axis2/java/core/docs/http-transport.html#httpsupport

(Alternatively, you may be able to get away with setting the default SSLContext with SSLContext.setDefault(...), introduced in Java 6. Disabling certificate verification for your default SSL context is obviously not a good idea in a real application.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Ahh, so Axis2 doesn't use HttpsUrlConnection, that explains a lot! Erm...I'm still not sure how to set up SSLContext here, sort of overwhelming amount of documentation, which I have trouble with because somehow I feel like it should be a simple switch somewhere. – Jay Sullivan Jul 13 '11 at 16:46
  • Indeed, adding `SSLContext.setDefault(sc)` with the value of `SSLContext.getInstance("TLS")` (or `SSLContext.getInstance("SSL")`?) appears to work here. – sehe May 05 '14 at 16:28
4

This is an older question but I stumbled upon it and it kinda psuhed me in the right diretion. I could access an https url in axis2 without a valid client certificate by setting the params:

import org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory;
import org.apache.commons.httpclient.protocol.Protocol;

EasySSLProtocolSocketFactory easySSLProtocolSocketFactory;
try {
     easySSLProtocolSocketFactory = new EasySSLProtocolSocketFactory();
     Protocol.unregisterProtocol("https");
     Protocol.registerProtocol("https", new Protocol("https",
                  (ProtocolSocketFactory) easySSLProtocolSocketFactory, 443));
}
catch (GeneralSecurityException e) {
      e.printStackTrace();
}

Just be sure to do this before calling the axis2 service client. This is nothing I would do in production, but as a fast hack for an unsecured server that did the trick for me.

Martin
  • 21,314
  • 2
  • 24
  • 20