Ignore SSL Certificate Errors with Java

Question

Apache Http Client. You can see the relevant code here:

String url = \"https://path/to/url/service\";
HttpClient client = new HttpClient();
PostMethod method         


        

Answer 1

Ignoring certificates has it's own harm, because the same code can move in production enviornment, and can cause havoc.

Below example is with Jersey Rest Client

private static final com.sun.jersey.api.client.Client client = com.sun.jersey.api.client.Client.create(configureClient());
final com.sun.jersey.api.client.WebResource webResource = client.resource("url");
try {
    com.sun.jersey.api.client.ClientResponse response = webResource.type(MediaType.APPLICATION_JSON_TYPE)
                            .accept(MediaType.APPLICATION_JSON_TYPE)
                            .get(com.sun.jersey.api.client.ClientResponse.class);
}catch(com.sun.jersey.api.client.ClientHandlerException che){
    che.printStackTrace();  
}

And ignoring certificates can be as below:

public static ClientConfig configureClient() {
    TrustManager[ ] certs = new TrustManager[ ] {
            new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
            }
    };
    SSLContext ctx = null;
    try {
        ctx = SSLContext.getInstance("SSL");
        ctx.init(null, certs, new SecureRandom());
    } catch (java.security.GeneralSecurityException ex) {
    }
    HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

    ClientConfig config = new DefaultClientConfig();
    try {
        config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(
                new HostnameVerifier() {
                    public boolean verify(String hostname, SSLSession session) {
                        return true;
                    }
                },
                ctx
        ));
    } catch(Exception e) {
    }

    return config;
}

Answer 2

If you really want to ignore everything this worked for me:

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new TrustStrategy() {
    @Override
    public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        return true;
    }
}).build();
HostnameVerifier hnv = new NoopHostnameVerifier();      
SSLConnectionSocketFactory sslcf = new SSLConnectionSocketFactory(sslContext, hnv);     
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslcf).build()

Answer 3

First, don't ignore certificate errors. Deal with them instead. Ignoring certificate errors opens the connection to potential MITM attacks. It's like turning off the buzzer in your smoke alarm because sometimes it makes a noise...

Sure, it's tempting to say it's only for test code, it won't end up in production, but we all know what happens when the deadline approaches: the code doesn't show any error when it's being tested -> we can ship it as it is. You should set up a test CA instead if you need. It's not very hard to make, and the overall process is certainly no harder than introducing custom code for development and removing it in production.

You're visibly using Apache Http Client:

HttpClient client = new HttpClient();
int statusCode = client.executeMethod(method);

Yet, you're initialising the javax.net.ssl.HttpsURLConnection with the SSLContext you've created:

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

This is completely independent of the Apache Http Client settings.

Instead, you should set up the SSLContext for the Apache Http Client library, as described in this answer. If you're using Apache Http Client 3.x, you need to set up your own SecureProtocolSocketFactory to use that SSLContext (see examples here). It's worth upgrading to Apache Http Client 4.x though, which has direct support for SSLContext.

You can also use Pascal's answer to import the certificate correctly. Again, if you follow the accepted answer (by Kevin) to that question, you will indeed ignore the error but this will make the connection vulnerable to MITM attacks.

Answer 4

HttpClient 4.3, it's easy,

     HttpClientBuilder cb = HttpClientBuilder.create();
     SSLContextBuilder sslcb = new SSLContextBuilder();
     sslcb.loadTrustMaterial(KeyStore.getInstance(KeyStore.getDefaultType()), new TrustSelfSignedStrategy());
     cb.setSslcontext(sslcb.build());
     CloseableHttpClient httpclient = cb.build();

that should fix ur problem