All geek questions in one place

Check for ignoring Java certificates

I am trying to create some examples of Java projects that connect to a self-signed HTTPS server. I cannot get Java to stop trying to verify the certificate. I do not want to trust this certificate, I just want to completely ignore all certificate verification; this server is inside my network and I want to be able to run some test applications without worrying about whether the certificate is valid.

java -Dcom.sun.net.ssl.checkRevocation=false HelloWorld org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

-Dcom.sun.net.ssl.checkRevocation = false did not help. I also tried adding the following code:

 public static void DisableCertificateValidation() { TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { } }

But still the same problem. What's going on here?

+6
source share
2 answers

org.apache.axis2.AxisFault indicates that you are using Axis 2 and Axis 2 is not using HttpsURLConnection to create your HTTP connections, but Apache is HttpClient (as far as I know 3.x), so HttpsURLConnection.setDefaultSSLSocketFactory(...) will have no effect.

You can see this answer about configuring SSLContext for Axis 2, in particular this document: http://axis.apache.org/axis2/java/core/docs/http-transport.html#httpsupport

(Alternatively, you can get away with installing SSLContext by default with SSLContext.setDefault(...) introduced in Java 6. Turning off certificate verification for your default SSL context is obviously not a good idea in a real application.)

+10
source

This is an older question, but I came across it, and it pushed me a little in the right direction. I could access the https URL on axis 2 without a valid client certificate by setting the parameters:

 import org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory; import org.apache.commons.httpclient.protocol.Protocol; EasySSLProtocolSocketFactory easySSLProtocolSocketFactory; try { easySSLProtocolSocketFactory = new EasySSLProtocolSocketFactory(); Protocol.unregisterProtocol("https"); Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) easySSLProtocolSocketFactory, 443)); } catch (GeneralSecurityException e) { e.printStackTrace(); }

Just remember to do this before calling the axis2 service client. This is nothing I could do in production, but as a quick hack for an insecure server that helped.

+3
source

Source: https://habr.com/ru/post/892691/

More articles:


All Articles