You are viewing a plain text version of this content. The canonical link for it is here.

Posted to xmlrpc-dev@ws.apache.org by "Jochen Wiedmann (JIRA)" <xm...@ws.apache.org> on 2006/05/12 22:54:09 UTC

[jira] Commented: (XMLRPC-47) Add option to XmlRpcClient to ignore SSL certificate validation

    [ http://issues.apache.org/jira/browse/XMLRPC-47?page=comments#action_12383281 ] 

Jochen Wiedmann commented on XMLRPC-47:
---------------------------------------

I understand the issues value. However, I haven't got sufficient knowledge to deal with it myself.

If you can come up with a patch against 2.0.1 in the next two weeks, I am ready to pull it in. Otherwise, I'd close the issue after almost two years.


> Add option to XmlRpcClient to ignore SSL certificate validation
> ---------------------------------------------------------------
>
>          Key: XMLRPC-47
>          URL: http://issues.apache.org/jira/browse/XMLRPC-47
>      Project: XML-RPC
>         Type: Bug

>   Components: Source
>     Versions: 1.1
>  Environment: Operating System: All
> Platform: All
>     Reporter: Andriy Rozeluk
>     Assignee: Jochen Wiedmann

>
> When using XML-RPC with SSL, and the server is using a self-signed certificate
> (say on a staging server), the Java net libraries throw an exception.
> As a suggestion, it should be possible to add a method, something like static
> setIgnoreSSLCerts(boolean) to XmlRpcClient and XmlRpcClientLite, which will
> override the TrustManager for the SSL connects. Thus, the user will have the
> benefit of SSL encryption, without the hassle of having to have that certificate
> signed by a CA.
> For example, before connect you can simply:
> javax.net.ssl.SSLSocketFactory.getDefault();
> X509TrustManager tm = new IgnoreSSLCertTrustManager();
> KeyManager[] km = null;
> TrustManager[] tma = {tm};
> SSLContext sc = SSLContext.getInstance("SSL");
> sc.init( km, tma, new java.security.SecureRandom() );
> SSLSocketFactory sf1 = sc.getSocketFactory();
> ... then when you get your URLConnection:
> URLConnection con = target.openConnection();
> if ( con instanceof HttpsURLConnection ){
>   HttpsURLConnection secconn = (HttpsURLConnection)con;
>   secconn.setSSLSocketFactory( sf1 );
> }
> The IgnoreSSLCertTrustManager simply implements X509TrustManager and returns
> true for both 'isClientTrusted' methods and does nothing for
> 'checkServerTrusted', then returns null for 'getAcceptedIssuers'.
> My apologies for not submitting this as a patch, but unfortunately I don't have
> those tools available to me at present.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira