You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by David Byrne <da...@yahoo.com> on 2008/01/29 04:26:12 UTC

Invalid SSL Certs

Looking through SSLSocketFactory.connectSocket, I don't see a way to disable certificate verification. Am I missing anything? If not, would you consider a feature request for it? 

Thanks,
David Byrne



      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

RE: Invalid SSL Certs

Posted by Furmaniak Christophe <Ch...@atosorigin.com>.

Hi,

did you check http://hc.apache.org/httpclient-3.x/sslguide.html?

You could start with the EasySSLProtocolSocketFactory example and associate to it a "dummy" TrustManager that would validate all certificates.

for instance, you could try:

==============================================================
public class DummyTrustManager implements X509TrustManager {
        private X509TrustManager standardTrustManager = null;

        private static final Logger logger = Logger
                        .getLogger(DummyTrustManager.class);

        public DummyTrustManager(KeyStore keystore)
                        throws NoSuchAlgorithmException, KeyStoreException {
                super();
                TrustManagerFactory factory = TrustManagerFactory
                                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
                factory.init(keystore);
                TrustManager[] trustmanagers = factory.getTrustManagers();
                if (trustmanagers.length == 0) {
                        throw new NoSuchAlgorithmException("no trust manager found");
                }
                this.standardTrustManager = (X509TrustManager) trustmanagers[0];
        }

        public void checkClientTrusted(X509Certificate[] arg0, String arg1)
                        throws CertificateException {
                // do nothing (if no CertificateException is thrown this means we trust
                // the client)
        }

        public void checkServerTrusted(X509Certificate[] arg0, String arg1)
                        throws CertificateException {
                // do nothing (if no CertificateException is thrown this means we trust
                // the server)
        }

        public X509Certificate[] getAcceptedIssuers() {
                return this.standardTrustManager.getAcceptedIssuers();
        }

}
==============================================================

Of course you are aware that it's really hazardous to run in production with such a TrustManager...

Christophe



> -----Message d'origine-----
> De : David Byrne [mailto:davidribyrne@yahoo.com]
> Envoyé : mardi 29 janvier 2008 04:26
> À : httpclient-users@hc.apache.org
> Objet : Invalid SSL Certs
>
> Looking through SSLSocketFactory.connectSocket, I don't see a way to
> disable certificate verification. Am I missing anything? If not, would
> you consider a feature request for it?
>
> Thanks,
> David Byrne
>
>
>
>
> _______________________________________________________________________
> _____________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>



Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org