You are viewing a plain text version of this content. The canonical link for it is here.

Posted to xmlrpc-dev@ws.apache.org by bu...@apache.org on 2003/08/06 17:55:36 UTC

DO NOT REPLY [Bug 22181] New: - Add option to XmlRpcClient to ignore SSL certificate validation

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22181>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22181

Add option to XmlRpcClient to ignore SSL certificate validation

           Summary: Add option to XmlRpcClient to ignore SSL certificate
                    validation
           Product: XML-RPC
           Version: 1.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Source
        AssignedTo: rpc-dev@xml.apache.org
        ReportedBy: arozeluk@compugen.com


When using XML-RPC with SSL, and the server is using a self-signed certificate
(say on a staging server), the Java net libraries throw an exception.

As a suggestion, it should be possible to add a method, something like static
setIgnoreSSLCerts(boolean) to XmlRpcClient and XmlRpcClientLite, which will
override the TrustManager for the SSL connects. Thus, the user will have the
benefit of SSL encryption, without the hassle of having to have that certificate
signed by a CA.

For example, before connect you can simply:

javax.net.ssl.SSLSocketFactory.getDefault();
X509TrustManager tm = new IgnoreSSLCertTrustManager();
KeyManager[] km = null;
TrustManager[] tma = {tm};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init( km, tma, new java.security.SecureRandom() );
SSLSocketFactory sf1 = sc.getSocketFactory();

... then when you get your URLConnection:
URLConnection con = target.openConnection();
if ( con instanceof HttpsURLConnection ){
  HttpsURLConnection secconn = (HttpsURLConnection)con;
  secconn.setSSLSocketFactory( sf1 );
}

The IgnoreSSLCertTrustManager simply implements X509TrustManager and returns
true for both 'isClientTrusted' methods and does nothing for
'checkServerTrusted', then returns null for 'getAcceptedIssuers'.

My apologies for not submitting this as a patch, but unfortunately I don't have
those tools available to me at present.