> -----Original Message-----
> From: kareem_s_m
> Sent: Saturday, July 11, 2009 17:38
>
> Thank You. I was aware of importing the certificate using
> keytool and the java code to trust all certificates. I was
> just wondering if there was a way to do the latter at tomcat
> level. Looks like thats not possible. Thank you all for your replies.
So is your question:
If a connection is made, and the certificate is not trusted, can it be added
(maybe temporarily) to the trusted list at runtime?
The other option of ignoring the missing trust at runtime was decribed in the
README, very well I may add.
>
> Christopher Schultz-2 wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Kareem,
> >
> > On 7/10/2009 2:46 PM, kareem_s_m wrote:
> >> Is there a way in tomcat to ignore or trust any SSL
> certificate when
> >> connecting to a site through https? I know there is some JAVA code
> >> for it.
> >> But can we do it through tomcat or JVM settings too?
> >
> > As others have said, this is not an issue with Tomcat; it
> is an issue
> > with the way you are connecting to the remote server.
> >
> > To /actually/ answer your question, allow me to post a
> README (written
> > by me) that we keep lying around our development servers
> for just this
> > purpose. You'll find the text following my signature. I
> hope it helps:
> > we use these techniques all the time in order to avoid SSL
> handshake
> > errors.
> >
> > I realize that some of the items mentioned might not be
> useful to you,
> > but others may learn something. Enjoy.
> >
> > - -chris
> >
> > ================================================================
> > Getting Java to Play Nice with SSL Connections
> > ================================================================
> >
> > This README serves to instruct the user in the fine art of dealing
> > with Java and SSL certificates.
> >
> > These instructions will help most when you are trying to
> make an SSL
> > connection to a remote host when that host has an SSL
> certificate that
> > is either self-signed, used for demo or testing purpuses,
> or is signed
> > by a certificate authority (CA) that you do not trust.
> >
> > If you do not trust the CA, you might want to think again
> about doing
> > business with the server. In any case, read on for how to
> install such
> > a certificate.
> >
> > First of all, if the server to which you are connecting has a valid
> > certificate that has been signed by a well-known CA, then
> you probably
> > don't have to do anything. Try your connection to see if it
> works. If
> > you get an exception like this, then keep reading:
> >
> > sun.security.validator.ValidatorException: No trusted
> certificate found
> > at
> >
> sun.security.validator.SimpleValidator.buildTrustedChain(Simpl
> eValidator.java:304)
> > at
> >
> sun.security.validator.SimpleValidator.engineValidate(SimpleVa
> lidator.java:107)
> > at sun.security.validator.Validator.validate(Validator.java:202)
> >
> > This exception is thrown because you do not trust the
> certificate that
> > has been handed to you by the server. Assuming that you want the
> > connection to work properly, you have several options.
> >
> > ================================================================
> > Import the certificate into your own keystore, making it trusted.
> > ================================================================
> >
> > Here is one way to do it:
> >
> > 1. Visit your site in SSL mode with a browser that allows
> you to save
> > a copy of the certificate to a file (Microsoft Internet Explorer
> > will allow you to do this).
> >
> > 2. Save the certificate to a file. With MSIE, you can go to
> > "File | Properties" and then click the "Certificates" button.
> > From there, choose the "details" tab and then click the
> > "Copy to File" button. This will launch a short wizard to export
> > the cert. Choose "DER encoded binary X.509" and save the file
> > somewhere.
> >
> > 3. Import that cert into your keystore.
> >
> > $ keytool -import -file [the cert file] -keystore [the key store]
> >
> > Although you should be able to use the keystore of the user
> > that is running the Java process (~/.keystore), I've found that
> > it doesn't always work that way. You might have to modify the
> > keystore for the JRE itself, which is usually located in
> > $JAVA_HOME/jre/lib/security/cacerts.
> >
> > You might want to save a backup copy of the cacerts file before
> > you start messing with it.
> >
> > Steps 1 and 2 can be replaced with a single openssl
> invocation if you
> > have access to the server's private key:
> >
> > $ openssl x509 -pubkey -in [server cert] -out [public cert]
> > -outform DER
> >
> > Use the resulting file ([public cert]) in step #3. Openssl
> will also
> > dump a public key to standard output, which can be ignored.
> >
> > ================================================================
> > Disable Certification Validation, Avoiding the Problem
> > ================================================================
> >
> > Note that this will disable certificate checking for all SSL
> > connections, and not just those for which validation should
> be skipped.
> > Actually, you can modify this technique for use on a per-connection
> > basis if you have access to the HttpURLConnection object
> used for the
> > connection itself.
> >
> > This code was written and tested on JDK 1.4.2_09.
> >
> > You need to execute this code before you attempt to make an SSL
> > connection.
> >
> > import java.security.KeyManagementException;
> > import java.security.NoSuchAlgorithmException;
> > import javax.net.ssl.SSLContext;
> > import javax.net.ssl.TrustManager;
> > import javax.net.ssl.X509TrustManager;
> > import javax.net.ssl.HttpsURLConnection;
> >
> > public static void disableSSLCertificateChecking()
> > {
> > TrustManager[] trustAllCerts = new TrustManager[] {
> > new X509TrustManager() {
> > public X509Certificate[] getAcceptedIssuers() {
> > return null;
> > }
> > public void
> checkClientTrusted(X509Certificate[] certs,
> > String authType) {
> > }
> > public void
> checkServerTrusted(X509Certificate[] certs,
> > String authType) {
> > }
> > }
> > };
> >
> > try
> > {
> > SSLContext sc = SSLContext.getInstance("SSL");
> >
> > sc.init(null, trustAllCerts, new
> > java.security.SecureRandom());
> >
> >
> >
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> > }
> > catch (KeyManagementException kme)
> > {
> > kme.printStackTrace();
> > }
> > catch (NoSuchAlgorithmException nsae)
> > {
> > nsae.printStackTrace();
> > }
> > }
> >
> >
> > If you have access to the individial HttpURLConnection objects that
> > will be used to make SSL connections, you can disable them on a
> > per-instance basis by using
> > HttpURLConnection.setSocketFactory(sc.getSocketFactory())
> > instead of using HttpURLConnection.setDefaultSSLSocketFactory and
> > changing the socket factory globally.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAkpY8aIACgkQ9CaO5/Lv0PBmpQCePjKef1z15yIKnKvO+1L6KEAK
> > WZoAn10b6D3/+tBS7tGGGPK45rvAT5XM
> > =HLH5
> > -----END PGP SIGNATURE-----
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Ignore--or-Trust-any-certificate-tp24432
691p24444084.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
