Is it possible to get Java to ignore the "trust store" and just accept whatever SSL certificate it gets?

Question

I am trying to write an SSL client that sends mail using the javax.mail API. The problem I am having is that the server request that I use SSL, but the server is also configured with a non-standard SSL certificate. The web pages I have found say that I need to install the certificate into the trust store. I don't want to do that (I don't have the necessary permissions.)

1. Is there a way to get Java to just ignore the certificate error and accept it?
2. Failing that, is there a way to have the trust store be local for my program, and not installed for the whole JVM?

Answer 1

Working code ( in jdk1.6.0_23) for #1.

Imports

import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.security.cert.X509Certificate; 

The actual trust all TrustManager code.

TrustManager trm = new X509TrustManager() {     public X509Certificate[] getAcceptedIssuers() {         return null;     }      public void checkClientTrusted(X509Certificate[] certs, String authType) {      }      public void checkServerTrusted(X509Certificate[] certs, String authType) {     } };  SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, new TrustManager[] { trm }, null); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 

Answer 2

You need to create a fake TrustManager that accepts all certificates, and register it as a manager. Something like this:

public class MyManager implements com.sun.net.ssl.X509TrustManager {   public boolean isClientTrusted(X509Certificate[] chain) { return true; }   public boolean isHostTrusted(X509Certificate[] chain) { return true; }   ... }   com.sun.net.ssl.TrustManager[] managers =   new com.sun.net.ssl.TrustManager[] {new MyManager()};  com.sun.net.ssl.SSLContext.getInstance("SSL").        .init(null, managers, new SecureRandom());