Trusting to every certificate

Emir Buğra KÖKSALAN tarafından tarihinde yayınlandı

Hi all.

I’m working on a web service project. Our workstations tomcats are configured with ssl. So that means we’re connecting to our tomcat over https and port 8443. And of course my web service is running tomcat and if I’m trying to connect it with basic http then I’m getting bullshit errors. For solving this issue I searched google and then I wrote a java method. Let me show you my method.

[cc lang=”java” tab_size=”4″ lines=”0″ line_numbers=”true” width=”100%” theme=”mac-classic” nowrap=”true”]

// TODO: This is trusting every certificate. This is not secure for live. Add trusted certificates to tomcat. Think about it.
private String sendSoapRequest( String xmlData ){
try{
// TODO: Make this configurable. Don’t use configurable things as hardcoded.
String hostName = “localhost”;
int port = 8443;

URLConnection connection = null;
URL url = new URL( “https://” + hostName + “:” + port + “/mywebserviceapp/xservice” );
logger.debug( “Hostname: ” + url.getHost() );

trustAllCertificates();

connection = url.openConnection();
// TODO: Make this values as configurable
// connection.setConnectTimeout( 1000 );
// connection.setReadTimeout( 1000 );
connection.setDoOutput( true );
connection.setDoInput( true );
connection.setUseCaches( false );
connection.setRequestProperty( “Content-Type”, “text/xml; charset=UTF-8” );
connection.setRequestProperty( “User-Agent”, “Jakarta Commond-HttpClient/3.1” );
connection.setRequestProperty( “Content-Length”, “” + xmlData.length() );

Writer wr = new OutputStreamWriter( connection.getOutputStream(), “UTF-8” );
wr.write( xmlData );
wr.flush();
wr.close();

return read( connection.getInputStream() );
}
catch( Exception e ){
logger.error( “Error: “, e );
}
return null;
}

private void trustAllCertificates(){

TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager(){

public java.security.cert.X509Certificate[] getAcceptedIssuers(){
return null;
}

public void checkClientTrusted( X509Certificate[] certs, String authType ){
}

public void checkServerTrusted( X509Certificate[] certs, String authType ){
}
} };
// Install the all-trusting trust manager
try{
SSLContext sc = SSLContext.getInstance( “SSL” );
sc.init( null, trustAllCerts, new java.security.SecureRandom() );
HttpsURLConnection.setDefaultSSLSocketFactory( sc.getSocketFactory() );
}
catch( Exception e ){
}
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier(){

@Override
public boolean verify( String arg0, SSLSession arg1 ){
// TODO Auto-generated method stub
return false;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier( allHostsValid );

HostnameVerifier verifier = new HostnameVerifier(){

@Override
public boolean verify( String hostname, SSLSession session ){
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier( verifier );
}

[/cc]

Please let me show the resources:

http://hc.apache.org/httpclient-legacy/sslguide.html

http://www.java-samples.com/showtutorial.php?tutorialid=211

http://stackoverflow.com/questions/1802051/https-hostname-wrong-should-be-sub-domain-com-what-causes-this

http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/

That’s it…

Kategoriler: Java

Emir Buğra KÖKSALAN

Java & PHP Developer

0 yorum

Bir yanıt yazın

Avatar yer tutucu

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Time limit is exhausted. Please reload the CAPTCHA.

Bu site, istenmeyenleri azaltmak için Akismet kullanıyor. Yorum verilerinizin nasıl işlendiği hakkında daha fazla bilgi edinin.