All geek questions in one place

How to make Restlet client ignore SSL certificate issues

I am currently working in a test environment where the server has an SSL certificate signed by default. I use Restlet 2.1-RC2 and create a client resource as follows:

Client client = new Client(new Context(), Protocol.HTTP); cr = new ClientResource(String.format(itql_endpoint,riQuery)); cr.setNext(client);

and reusing the client for every call I make. How to configure the client so that it ignores problem certificates.

+6
source share
2 answers

The correct way is to import this self-signed certificate into the client trust repository using keytool , for example:

 keytool -import -file server-cert.pem -alias myserver -keystore mytruststore.jks

You can either do this directly in the JRE trust repository ( lib/security/cacerts ), which may lose some flexibility, or do this in your own copy of this file, which you then set as the trust repository (the default password is changeit or changeme on OSX). You set up this supermarket globally for your application using the usual system properties javax.net.ssl.trustStore* (for example, the -Djavax.net.ssl.trustStore=mytruststore system property (and -Djavax.net.ssl.trustStorePassword ), or you You can configure it for a specific connector in Restlet using server context settings, for example:

 Series<Parameter> parameters = client.getContext().getParameters(); parameters.add("truststorePath", "/path/to/your/truststore.jks"); // parameters.add("truststorePassword", "password"); // parameters.add("trustPassword", "password"); // parameters.add("truststoreType", "JKS");

The wrong way is to use TrustManager , which will disable any validation and pass it through SslContextFactory (in the SSL extension). Something like that.

 TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // This will never throw an exception. // This doesn't check anything at all: it insecure. } }; final SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, new TrustManager[] {tm}, null); Context context = client.getContext(); context.getAttributes().put("sslContextFactory", new SslContextFactory() { public void init(Series<Parameter> parameters) { } public SSLContext createSslContext() { return sslContext; } });

While the first method may seem a little tedious than the second (since you need to get the server certificate first and copy the files), the second will just make the error messages disappear without checking anything about the server certificate, thereby making it vulnerable to active MITM attacks . This applies to any connection in which this SSLContext configured. (This is not the right way, because it uses a custom SSLContext , it is wrong due to this particular SSLContext configuration.)

+9
source 
 // Create all-trusting host name verifier HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
+1
source

Source: https://habr.com/ru/post/906842/

More articles:


All Articles