Disabling Certificate Validation in an HTTPS Connection

By default, accessing an HTTPS URL using the URL class results in an exception if the server's certificate chain cannot be validated has not previously been installed in the truststore. If you want to disable the validation of certificates for testing purposes, you need to override the default trust manager with one that trusts all certificates.
// Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } } }; // Install the all-trusting trust manager try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { } // Now you can access an https URL without having the certificate in the truststore try { URL url = new URL("https://hostname/index.html"); } catch (MalformedURLException e) { }

Comments

21 Jan 2010 - 12:35pm by Anonymous (not verified)

good page

10 Feb 2010 - 6:37am by Anonymous (not verified)

Not verifying the server's certificate makes such an SSL connection vulnerable to MITM attacks (just like anonymous cipher suites), so SSL isn't really useful in this case...

10 Feb 2010 - 11:09pm by Anonymous (not verified)

I think the point is testing, against servers that have either self-signed certificates or are borrowing ones from other servers (for testing). Yes you lose some security, but your testing works.

1 Mar 2010 - 2:02pm by Bjørn Næss (not verified)

This is a god page. I would like to recomend the SSLUtilities from http://en.wikibooks.org/wiki/WebObjects/Web_Services/How_to_Trust_Any_SS....

This Helper class is nice when testing against self-signed servers.

5 Mar 2010 - 7:21am by jarsit (not verified)

Yes cool, too bad that is not working for me, until one day ago the certificates was ok now I'm stuck with this certificate error.

5 Mar 2010 - 7:48am by jarsit (not verified)
Fixed for me too this is the solution http://code.google.com/p/android/issues/detail?id=1946 or For those looking for a workaround, I just managed to get this working in my app (I had the same problem with a new VeriSign certificate). What I have done is register a custom SSL SocketFactory implementation. I've found one here: http://exchangeit.googlecode.com/svn- history/r23/trunk/src/com/byarger/exchangeit/EasySSLSocketFactory.java To get this to work, I've replaced the EasyX509TrustManager that is used in this implementation by a trivial no-op TrustManager:
public class TrivialTrustManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {} public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }
I've registered it like this:
public DefaultHttpClient getClient() { DefaultHttpClient ret = null; // sets up parameters HttpParams params = new BasicHttpParams(); HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1); HttpProtocolParams.setContentCharset(params, "utf-8"); params.setBooleanParameter("http.protocol.expect-continue", false); // registers schemes for both http and https SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); registry.register(new Scheme("https", new EasySSLSocketFactory(), 443)); ThreadSafeClientConnManager manager = new ThreadSafeClientConnManager(params, registry); ret = new DefaultHttpClient(manager, params); return ret; }
This works as a quick hack to get things to work, but it does disable all certificate validation. I'm going to try implement the private keystore approach, and give the user the option to have untrusted certificates added to it (like in a browser).
5 Mar 2010 - 8:13am by jarsit (not verified)

Ok this page code is ok if i replace

SSLContext sc = SSLContext.getInstance("SSL");

with

SSLContext sc = SSLContext.getInstance("TLS");

and is working.

Post a comment

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image. Ignore spaces and be careful about upper and lower case.