Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ignore SSL Certificate Errors with Java

Apache Http Client. You can see the relevant code here:

String url = "https://path/to/url/service";
HttpClient client = new HttpClient();
PostMethod method = new PostMethod(url);

// Test whether to ignore cert errors
if (ignoreCertErrors){
  TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager(){
      public X509Certificate[] getAcceptedIssuers(){ return null; }
      public void checkClientTrusted(X509Certificate[] certs, String authType) {}
      public void checkServerTrusted(X509Certificate[] certs, String authType) {}
    }
  };

  try {
    SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, trustAllCerts, new SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
  } catch (Exception e){
    e.printStackTrace();
  }
}

try {

  // Execute the method (Post) and set the results to the responseBodyAsString()
  int statusCode = client.executeMethod(method);
  resultsBody = method.getResponseBodyAsString();

} catch (HttpException e){
  e.printStackTrace();
} catch (IOException e){
  e.printStackTrace();
} finally {
  method.releaseConnection();
}

This is the method everyone says to use to ignore SSL Certificate Errors (only setting this up for staging, it won't be used in production). However, I am still getting the following exception/stacktrace:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building unable to find valid certification path to requested target

Any tips would be great. If I am doing the TrustManager wrong, or if I should be executing the HTTP Post method differently, either way.

Thanks!

like image 241
andrewpthorp Avatar asked Aug 21 '12 17:08

andrewpthorp


People also ask

How do I ignore an SSL certificate error?

Ignore SSL Certificate Checks with Curl. To ignore invalid and self-signed certificate checks on Curl, use the -k or --insecure command-line option. This option allows Curl to perform "insecure" SSL connections and skip SSL certificate checks while you still have SSL-encrypted communications.

How do I bypass certificate warnings?

Within Internet Explorer, navigate to Tools / Internet options. Click the Advanced tab. Scroll down to the bottom of the list and uncheck Warn about certificate address mismatch (3rd option from bottom) Reboot your computer.

What happens when you disable certificate validation for JRE?

If the SSL certificate is not validates as trusted or does not match the target host, an HTTPS and other SSL encrypted connection cannot be established and all attempts will result in SSLHandshakeException or IOException.


1 Answers

First, don't ignore certificate errors. Deal with them instead. Ignoring certificate errors opens the connection to potential MITM attacks. It's like turning off the buzzer in your smoke alarm because sometimes it makes a noise...

Sure, it's tempting to say it's only for test code, it won't end up in production, but we all know what happens when the deadline approaches: the code doesn't show any error when it's being tested -> we can ship it as it is. You should set up a test CA instead if you need. It's not very hard to make, and the overall process is certainly no harder than introducing custom code for development and removing it in production.

You're visibly using Apache Http Client:

HttpClient client = new HttpClient();
int statusCode = client.executeMethod(method);

Yet, you're initialising the javax.net.ssl.HttpsURLConnection with the SSLContext you've created:

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

This is completely independent of the Apache Http Client settings.

Instead, you should set up the SSLContext for the Apache Http Client library, as described in this answer. If you're using Apache Http Client 3.x, you need to set up your own SecureProtocolSocketFactory to use that SSLContext (see examples here). It's worth upgrading to Apache Http Client 4.x though, which has direct support for SSLContext.

You can also use Pascal's answer to import the certificate correctly. Again, if you follow the accepted answer (by Kevin) to that question, you will indeed ignore the error but this will make the connection vulnerable to MITM attacks.

like image 132
Bruno Avatar answered Sep 28 '22 01:09

Bruno