1. 技术文章
  2. Is it possible to get Java to ignore the “trust store” and just accept whatever SSL certificate it gets?

Is it possible to get Java to ignore the “trust store” and just accept whatever SSL certificate it gets?

独自空忆成欢 提交于 2019-12-28 01:56:30

问题


I am trying to write an SSL client that sends mail using the javax.mail API. The problem I am having is that the server request that I use SSL, but the server is also configured with a non-standard SSL certificate. The web pages I have found say that I need to install the certificate into the trust store. I don't want to do that (I don't have the necessary permissions.)

  1. Is there a way to get Java to just ignore the certificate error and accept it?
  2. Failing that, is there a way to have the trust store be local for my program, and not installed for the whole JVM?

回答1:


You need to create a fake TrustManager that accepts all certificates, and register it as a manager. Something like this:

public class MyManager implements com.sun.net.ssl.X509TrustManager {
  public boolean isClientTrusted(X509Certificate[] chain) { return true; }
  public boolean isHostTrusted(X509Certificate[] chain) { return true; }
  ...
}


com.sun.net.ssl.TrustManager[] managers =
  new com.sun.net.ssl.TrustManager[] {new MyManager()};

com.sun.net.ssl.SSLContext.getInstance("SSL").
       .init(null, managers, new SecureRandom());



回答2:


Working code ( in jdk1.6.0_23) for #1.

Imports

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

The actual trust all TrustManager code.

TrustManager trm = new X509TrustManager() {
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    public void checkClientTrusted(X509Certificate[] certs, String authType) {

    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
};

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { trm }, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());



回答3:


Try this (answer to question 2):

System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore");

You can also specify this as an additional command line parameter:

java -Djavax.net.ssl.trustStore=/path/to/truststore <remaining arguments>

On Fedora this could be the system wide java trust store in /etc/pki/java/cacerts




回答4:


Just add -Dtrust_all_cert=true to VM arguments. This argument tells java to ignore all certificate checks.




回答5:


In Command Line you can add argument -noCertificationCheck to java to ignore the certificate checks.



来源:https://stackoverflow.com/questions/1219208/is-it-possible-to-get-java-to-ignore-the-trust-store-and-just-accept-whatever

标签
java
ssl
truststore
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!