Disabling Certificate Validation in an HTTPS Connection
By default, accessing an HTTPS URL using the URL class results in an
exception if the server's certificate chain cannot be validated has
not previously been installed in the truststore. If you want to
disable the validation of certificates for testing purposes, you need
to override the default trust manager with one that trusts all
certificates.
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}
good page
Not verifying the server's certificate makes such an SSL connection vulnerable to MITM attacks (just like anonymous cipher suites), so SSL isn't really useful in this case...
I think the point is testing, against servers that have either self-signed certificates or are borrowing ones from other servers (for testing). Yes you lose some security, but your testing works.
Yes cool, too bad that is not working for me, until one day ago the certificates was ok now I'm stuck with this certificate error.
Ok this page code is ok if i replace
SSLContext sc = SSLContext.getInstance("SSL");
with
SSLContext sc = SSLContext.getInstance("TLS");
and is working.
Hello. This is a fantastic page that has exactly what I need to do.
Basically, for testing purposes, I want to have Java accept whatever certificate I have. I'm currently using Jetty as my webserver, and I have setup SSL.
Now, when I use your code, I get an error and I was wondering if anyone could help me out.
Exception in thread "main" java.io.IOException: HTTPS hostname wrong: should be
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at main.Main.main(Main.java:46)
After using your code, here is what I have written to connect to the webserver and printout whats on that page.
try {
URL url = new URL("https://localhost:8443");
URLConnection uc = url.openConnection();
BufferedReader rd = new BufferedReader(new InputStreamReader(uc
.getInputStream()));
String a = rd.readLine();
while (a != null) {
System.out.println(a);
a = rd.readLine();
}
} catch (MalformedURLException e) {
}
I'm new to this stuff, so, if I've said anything incorrectly, please correct me so I may learn! Thank you so much! :D
Very helpful! Thanks so much!
Thank you very much. You solved my biggest problem in the project.
adding
HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier(){
public boolean verify(String string,SSLSession ssls) {
return true;
}
});
should avoid the HTTPS hostname wrong: exception.