You are viewing a plain text version of this content. The canonical link for it is here.

Posted to xmlrpc-dev@ws.apache.org by "Jochen Wiedmann (JIRA)" <xm...@ws.apache.org> on 2006/06/24 05:10:30 UTC

[jira] Closed: (XMLRPC-47) Add option to XmlRpcClient to ignore SSL certificate validation

     [ http://issues.apache.org/jira/browse/XMLRPC-47?page=all ]
     
Jochen Wiedmann closed XMLRPC-47:
---------------------------------

    Resolution: Incomplete

No response, closing.


> Add option to XmlRpcClient to ignore SSL certificate validation
> ---------------------------------------------------------------
>
>          Key: XMLRPC-47
>          URL: http://issues.apache.org/jira/browse/XMLRPC-47
>      Project: XML-RPC
>         Type: Bug

>   Components: Source
>     Versions: 1.1
>  Environment: Operating System: All
> Platform: All
>     Reporter: Andriy Rozeluk
>     Assignee: Jochen Wiedmann

>
> When using XML-RPC with SSL, and the server is using a self-signed certificate
> (say on a staging server), the Java net libraries throw an exception.
> As a suggestion, it should be possible to add a method, something like static
> setIgnoreSSLCerts(boolean) to XmlRpcClient and XmlRpcClientLite, which will
> override the TrustManager for the SSL connects. Thus, the user will have the
> benefit of SSL encryption, without the hassle of having to have that certificate
> signed by a CA.
> For example, before connect you can simply:
> javax.net.ssl.SSLSocketFactory.getDefault();
> X509TrustManager tm = new IgnoreSSLCertTrustManager();
> KeyManager[] km = null;
> TrustManager[] tma = {tm};
> SSLContext sc = SSLContext.getInstance("SSL");
> sc.init( km, tma, new java.security.SecureRandom() );
> SSLSocketFactory sf1 = sc.getSocketFactory();
> ... then when you get your URLConnection:
> URLConnection con = target.openConnection();
> if ( con instanceof HttpsURLConnection ){
>   HttpsURLConnection secconn = (HttpsURLConnection)con;
>   secconn.setSSLSocketFactory( sf1 );
> }
> The IgnoreSSLCertTrustManager simply implements X509TrustManager and returns
> true for both 'isClientTrusted' methods and does nothing for
> 'checkServerTrusted', then returns null for 'getAcceptedIssuers'.
> My apologies for not submitting this as a patch, but unfortunately I don't have
> those tools available to me at present.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: xmlrpc-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: xmlrpc-dev-help@ws.apache.org