Saturday, March 25, 2017

Disable SSL Certificate Validation in Java

In the previous post we saw how to disable hostname verification, here. On similar lines, we can also disable SSL cert validation in Java client.


By design when client uses JSSE implementation of the SSL protocol to perform few validations to ensure the requested host is not fake. This involves validation of the server’s X.509 certificate with the PKIX algorithm and checking the host name against the certificate subject. If the SSL certificate is not validate or does not match the target host, you will get SSLHandshakeException or IOException.

Certificate validation can be disabled by overriding default TrustManager implementation.

TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs, String authType) {

            }

            public void checkServerTrusted(X509Certificate[] certs, String authType) {

            }

   } };

                

   SSLContext sc = null;

        try {
            sc = SSLContext.getInstance("SSL");
            sc.init(null, trustAllCerts, new java.security.SecureRandom());
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
   HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());


References:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html---- 


1 comment:

  1. Thanks for sharing, nice post! Post really provice useful information!

    Công ty vận chuyển hàng nước ngoài FadoExpress hàng đầu chuyên vận chuyển, chuyển phát nhanh siêu tốc đi khắp thế giới, nổi bật là dịch vụ gửi hàng đi mỹ, gửi hàng đi úcgửi hàng đi đài loan và dịch vụ chuyển phát nhanh đi hàn quốc uy tín, giá rẻ

    ReplyDelete