Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ignore self-signed ssl cert using Jersey Client [duplicate]

I'm using the Jersey Client library to run tests against a rest service running on jboss. I have https set up fine on the server (running on localhost), using a self signed cert.

However whenever I run my tests with the https url I get the following error:

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)     at com.sun.jersey.api.client.Client.handle(Client.java:629)     at com.sun.jersey.oauth.client.OAuthClientFilter.handle(OAuthClientFilter.java:137)     at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)     at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)     at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:459)     at test.helper.Helper.sendSignedRequest(Helper.java:174)     ... And so on 

I know this is because my self signed cert is not in the java keystore. Is there any way I can make the Client not check the validity of the ssl cert and just use it regardless?

This code will only ever be run against test servers so I don't want to go to the hassle of adding new trusted certs each time we set up a new test server.

Here's the code which is making the call:

OAuthParameters params = new OAuthParameters();  // baseline OAuth parameters for access to resource params.signatureMethod(props.getProperty("signature_method")); params.consumerKey(props.getProperty("consumer_key")); params.setToken(props.getProperty("token")); params.setVersion("1.0"); params.nonce();  // OAuth secrets to access resource OAuthSecrets secrets = new OAuthSecrets(); secrets.consumerSecret(props.getProperty("consumer_secret")); secrets.setTokenSecret(props.getProperty("token_secret"));  // Jersey client to make REST calls to token services Client client = Client.create();  // OAuth test server resource WebResource resource = client.resource(props.getProperty("url"));  // if parameters and secrets remain static, filter cab be added to each web resource OAuthClientFilter filter = new OAuthClientFilter(client.getProviders(), params, secrets);  // filter added at the web resource level resource.addFilter(filter); WebResource.Builder wbr = resource.getRequestBuilder().accept(props.getProperty("accept"));  return wbr.get(ClientResponse.class); 

Any help would be greatly appreciated.

like image 640
Chris Salij Avatar asked May 18 '11 16:05

Chris Salij


People also ask

How do I skip SSL verification in curl?

To ignore invalid and self-signed certificate checks on Curl, use the -k or --insecure command-line option. This option allows Curl to perform "insecure" SSL connections and skip SSL certificate checks while you still have SSL encrypted communications.

Why we should not use self-signed certificate?

Compromised self-signed certificates can pose many security challenges, since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.


1 Answers

After some searching and trawling through some old stackoverflow questions I've found a solution in a previously asked SO question:

  • Question: Java client certificates over HTTPS/SSL
  • Answer Java client certificates over HTTPS/SSL

Here's the code that I ended up using.

// Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager(){     public X509Certificate[] getAcceptedIssuers(){return null;}     public void checkClientTrusted(X509Certificate[] certs, String authType){}     public void checkServerTrusted(X509Certificate[] certs, String authType){} }};  // Install the all-trusting trust manager try {     SSLContext sc = SSLContext.getInstance("TLS");     sc.init(null, trustAllCerts, new SecureRandom());     HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) {     ; } 
like image 60
Chris Salij Avatar answered Oct 23 '22 14:10

Chris Salij