All geek questions in one place

Can I convince a Java application to ignore SSL problems without changing its code?

I have java applications that complain about various SSL issues, such as a self-signed certificate or untrusted ones.

Since I don’t have the code for these applications and getting good certificates is too complicated, I’m looking for a solution that will allow me to get it connected.

So far I have tried this, but it seems this is not enough:

-Dcom.sun.net.ssl.checkRevocation=false -Djava.security.debug=certpath

I still see:

  • sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
+4
source share
2 answers

Code changes to ignore certificate validation errors, ignoring trust verification at all (for example, using a trust manager that does nothing) are generally not suitable for the correct path. They may be popular with some developers because they don’t need to go through any steps to work with certificates, but they just ignore the problem and not fix it, thereby also introducing vulnerabilities into MITM attacks. (Since the problem is then disabled, it is never fixed in product releases.)

Various ways to configure traffic control are described in the JSSE Reference Guide .

In short, you can either explicitly import certificates into the JRE trust store (usually the cacerts file in the JRE directory) or by importing it into your own trust store (possibly based on a copy of the default trust store) and specifying its path using the javax.net.ssl.trustStore properties javax.net.ssl.trustStore (and related) systems (see the JSSE Ref. Guide).

These configuration parameters will affect all SSLSocket and SSLEngine , which themselves use the default settings (without any specific SSLContext in the code).

Some applications use their own SSLContext to load a specific keystore or trust store for specific connections. This is usually configured with parameters that are independent of the default JSSE parameters, in which case you will need to check the documentation or application code.

+7
source

http://code.google.com/p/misc-utils/wiki/JavaHttpsUrl provides several invasive solutions.

SSLSocketFactory can be overridden with a system property .

But custom HostnameVerifier can only be approved by a special java agent through an additional launch option or on the fly .

In addition, AspectJ weaving agent can be used to override the behavior of any method .

Also consider an alternative approach with the MiTM HTTPS proxy server (if the application allows you to reconfigure URLs and certificates).

+6
source

Source: https://habr.com/ru/post/1441539/

More articles:


All Articles