1

I try to access a site using HTTP from a Java application. Since the application is running in a development environment, the corresponding certificate isn't trusted.

When using javax.net.ssl package, I try to define a custom TrustManager implementation that allows everything and pass it within the second parameter of the init method of the SslContext, but this doesn't work.

Does anybody make work something like that? Thanks very much for your help! Thierry

Improve this question
2
  • Dit you use -Djavax.net.debug=all (or auth) to see what was happening? And how did you use your newly created context? And - of course- as certs are supposed to be public, why not just trust the certificate? Commented May 2, 2011 at 8:28
  • Thanks very much for your answer! When using the debugging hints, I can see that: SEND TLSv1 ALERT: fatal, description= certificate_unknow. In fact, I can trust the certificate because it's a development server from a third-part company. Commented May 2, 2011 at 8:46

2 Answers 2

Reset to default
1

It is pretty easy to implement a TrustManager which does not verify anything (works on both client and server side):

public class NoVerifyTM implements X509TrustManager
{
  void checkClientTrusted(X509Certificate[] chain, String authType) {
    /* Accept All */
  }

  void checkServerTrusted(X509Certificate[] chain, String authType) {
    /* Accept All */
  }

  X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[0]
  }
}

To use this TrustManager:

SSLContext ctx = SSLContext.getDefault();
ctx.init(null, new TrustManager[] { new NoVerifyTM() }, null);
SSLSocketFactory sf = ctx.getSocketFactory();

Please note that (as said by @hanwg) such a trust manager should only be used for testing/prototyping purposes.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hello, Thanks very much for your answer. Unfortunately, this doesn't solve my problem... In fact, I think that there is something more to do. Perhaps at the key manager level?
Can you give us some code snippet you wrote, or the exception you get? It will be much easier to help :)
0

if you trust the certificate, you should add it to your application server's truststore. implementing a trust manager that doesn't perform certificate checking is a security vulnerability.

Improve this answer

1 Comment

Hello, Thanks very much for your help. Yes, I agree with you! It's only for a development environment...

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.