Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to convince a Java application to ignore SSL issues without modifying its code?

Tags:

java

ssl

I have some java apps that are complaining about different SSL problems like self signed certificate or not trusted ones.

As I do not have the code of these apps and getting good certificates is too hard, I am looking for a solution that would allow me to force it to connect.

So far I tried these but it seems not to be enough:

-Dcom.sun.net.ssl.checkRevocation=false 
-Djava.security.debug=certpath

I still see:

  • sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
like image 633
sorin Avatar asked Oct 23 '12 12:10

sorin

1 Answers

Code modifications to ignore certificate validation errors by ignoring trust verification altogether (e.g. using a trust manager that does nothing) are normally not the right way to go. They may be popular with some developers, because they don't have to go through any steps about dealing with certificates, but they're just ignoring the problem instead of fixing it, thereby also introducing vulnerabilities to MITM attacks. (Because the problem is then silenced, it tends never to be fixed in production releases.)

The various ways to configure trust management are described in the JSSE Reference Guide.

In short, you can either import the certificates explicitly into the JRE truststore (usually cacerts file in the JRE directory) or by using importing it into your own trust store (possibly based on a copy of the default trust store), and specifying its path using the javax.net.ssl.trustStore (and related) system properties (see JSSE Ref Guide).

These configuration settings will affect all the SSLSockets and SSLEngines that use the default settings themselves (without any specific SSLContext in the code).

Some applications use their own SSLContext to load a specific keystore or truststore for certain connections. This is usually configured with parameters that are independent of the JSSE default options, in which case you'll have to check the application documentation or code.

like image 107
Bruno Avatar answered Sep 23 '22 13:09

Bruno
Sign in to Comment

Related questions

JFreeChart with highlighted points
Find out if the calling thread is the SWT UI thread - determine the calling thread
Junit mockito when(..).thenReturn() throws NullPointerException
Parse xml from httppost response
Hold session in stateful EJB 3.1 bean?
Mouse pointer detection over a Path2D
Grails 2.1.0 Not Auto-Reloading / Auto-Recompiling
Serialize one class in two different ways with Jackson
500,000 street names - what data structure and to use to implement a fast search?
JFreeChart Legend Display
Do "if" statements affect in the time complexity analysis?
Where to put context.xml with Eclipse WTP?
Infinite loop when deploying a war on tomcat 7
Java: For each loop , Iteration over extended objects
Garbage collection of private fields
How to avoid old style outer join (+) in Hibernate?
Adding 2 or more objects to JFrame
class not found FOP
Java dynamic return type?
How unique is the HttpSession ID?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!