-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kareem,
On 7/10/2009 2:46 PM, kareem_s_m wrote:
> Is there a way in tomcat to ignore or trust any SSL certificate when
> connecting to a site through https? I know there is some JAVA code for it.
> But can we do it through tomcat or JVM settings too?
As others have said, this is not an issue with Tomcat; it is an issue
with the way you are connecting to the remote server.
To /actually/ answer your question, allow me to post a README (written
by me) that we keep lying around our development servers for just this
purpose. You'll find the text following my signature. I hope it helps:
we use these techniques all the time in order to avoid SSL handshake errors.
I realize that some of the items mentioned might not be useful to you,
but others may learn something. Enjoy.
- -chris
================================================================
Getting Java to Play Nice with SSL Connections
================================================================
This README serves to instruct the user in the fine art of
dealing with Java and SSL certificates.
These instructions will help most when you are trying to
make an SSL connection to a remote host when that host has
an SSL certificate that is either self-signed, used for
demo or testing purpuses, or is signed by a certificate
authority (CA) that you do not trust.
If you do not trust the CA, you might want to think again
about doing business with the server. In any case, read on
for how to install such a certificate.
First of all, if the server to which you are connecting has
a valid certificate that has been signed by a well-known
CA, then you probably don't have to do anything. Try your
connection to see if it works. If you get an exception like
this, then keep reading:
sun.security.validator.ValidatorException: No trusted certificate found
at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
This exception is thrown because you do not trust the certificate
that has been handed to you by the server. Assuming that you want
the connection to work properly, you have several options.
================================================================
Import the certificate into your own keystore, making it trusted.
================================================================
Here is one way to do it:
1. Visit your site in SSL mode with a browser that allows you to save
a copy of the certificate to a file (Microsoft Internet Explorer
will allow you to do this).
2. Save the certificate to a file. With MSIE, you can go to
"File | Properties" and then click the "Certificates" button.
From there, choose the "details" tab and then click the
"Copy to File" button. This will launch a short wizard to export
the cert. Choose "DER encoded binary X.509" and save the file
somewhere.
3. Import that cert into your keystore.
$ keytool -import -file [the cert file] -keystore [the key store]
Although you should be able to use the keystore of the user
that is running the Java process (~/.keystore), I've found that
it doesn't always work that way. You might have to modify the
keystore for the JRE itself, which is usually located in
$JAVA_HOME/jre/lib/security/cacerts.
You might want to save a backup copy of the cacerts file before
you start messing with it.
Steps 1 and 2 can be replaced with a single openssl invocation if you
have access to the server's private key:
$ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER
Use the resulting file ([public cert]) in step #3. Openssl will also
dump a public key to standard output, which can be ignored.
================================================================
Disable Certification Validation, Avoiding the Problem
================================================================
Note that this will disable certificate checking for all SSL
connections, and not just those for which validation should be skipped.
Actually, you can modify this technique for use on a per-connection
basis if you have access to the HttpURLConnection object used for the
connection itself.
This code was written and tested on JDK 1.4.2_09.
You need to execute this code before you attempt to make an SSL connection.
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.net.ssl.HttpsURLConnection;
public static void disableSSLCertificateChecking()
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
try
{
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
catch (KeyManagementException kme)
{
kme.printStackTrace();
}
catch (NoSuchAlgorithmException nsae)
{
nsae.printStackTrace();
}
}
If you have access to the individial HttpURLConnection objects that will
be used to make SSL connections, you can disable them on a per-instance
basis by using HttpURLConnection.setSocketFactory(sc.getSocketFactory())
instead of using HttpURLConnection.setDefaultSSLSocketFactory and
changing the socket factory globally.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkpY8aIACgkQ9CaO5/Lv0PBmpQCePjKef1z15yIKnKvO+1L6KEAK
WZoAn10b6D3/+tBS7tGGGPK45rvAT5XM
=HLH5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
