14

What role does SSLSocketFactory class in java play when using HttpsURLConnection? The java docs is not of much help.

Are there any ways to bind the keystore and the truststore to with the sslsocketfactory object, to make it point to the keystore and the truststore?

Otherwise how will the connection know the location of the keystore and the truststore(I don't want to use java System Properties)?

wahwahwah
  • 3,254
  • 1
  • 21
  • 40
Ashwin
  • 12,691
  • 31
  • 118
  • 190

1 Answers1

14

It is done through SSLContext. You init one and then use it's socket factory to create HttpsConnection instances.

Here is rough example of how I manage this in my application:

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(myKeyManagerFactory.getKeyManagers(), myTrustManagerArray, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

after that your openConnection() calls for https sites will use the sslsocketfactory you initialized here.

Here code for TrustManager to use in your ssl context wich will trust all certificates:

TrustManager[] myTrustManagerArray = new TrustManager[]{new TrustEveryoneManager()};

class TrustEveryoneManager implements X509TrustManager {
    public void checkClientTrusted(X509Certificate[] arg0, String arg1){}
    public void checkServerTrusted(X509Certificate[] arg0, String arg1){}
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Upd from Bruno: beware, trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks

yggdraa
  • 2,002
  • 20
  • 23
  • 1
    your code works if setDefaultSSLSocketFactory() is replaced with setSSLSocketFacory(). setDefaultSSLSocketFactory() throws the following exception. " javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExce ption: unable to find valid certification path to requested target" – Ashwin Mar 29 '12 at 09:28
  • It works with DefaultSSLSocketFactory for me, but good to know for future 8) – yggdraa Mar 29 '12 at 09:38
  • 1
    I think it can not build a proper certificate chain for certificate it checks. Most probably you should import the root certificate of the site you are connecting to into your keystore. – yggdraa Mar 29 '12 at 09:55
  • Or may be try to make trustManager that trusts all certificates. I added the code for this in my answer above. – yggdraa Mar 29 '12 at 10:05
  • 6
    You should point out that trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks. – Bruno Mar 29 '12 at 10:13
  • Certainly, it is useful just for testing purpose only. – yggdraa Mar 29 '12 at 10:27
  • 3
    (I was just pointing this out, otherwise people tend to copy/paste without thinking about what it does. I prefer using my own test CA for testing, it's more realistic and less likely to leave insecure code in the production code.) – Bruno Mar 29 '12 at 11:03
  • I have posted a similar question for non-HTTPS connections. https://stackoverflow.com/questions/60571012/sslsocketfactory-in-java-ldap-network-connection – Kenny Cason Mar 06 '20 at 20:17