Re: [OT] truststore and keystore SSL

[Christopher Schultz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lau,

On 12/20/11 5:24 AM, Lau Eng Huat wrote:
> Its a self signed certificate. I posted here is because there seems
> to be no reply from the httpclient-us...@hc.apache.org. Will there
> be a lot of changes when we changed to commercial certificates ?

If you have a commercially-signed certificate then the JVM will
probably not complain because the certificate authority is already
trusted.

I haven't checked recently with Oracle Java, but StartSSL offers SSL
certificates for free if you can prove that you have control over a
domain name (it's a simple process). I know that Firefox trusts their
CA, so it's possible that Java will do the same.

Maybe you could use a free signed SSL certificate for development and
avoid all this work.

Or, you could do what we do when this kind of thing comes up and
disable the trust manager. That requires that you write some code. You
might be able to adapt this to affect only *one* SSLContext, but we
install it JVM-wide. YMMV.

    public static void disableSSLCertificateChecking()
    {
        TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(X509Certificate[] certs,
                                               String authType) {
                }
                public void checkServerTrusted(X509Certificate[] certs,
                                               String authType) {
                }
            }
        };

        try
        {
            SSLContext sc = SSLContext.getInstance("SSL");

            sc.init(null, trustAllCerts, new
java.security.SecureRandom());


HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        }
        catch (KeyManagementException kme)
        {
            kme.printStackTrace();
        }
        catch (NoSuchAlgorithmException nsae)
        {
            nsae.printStackTrace();
        }
    }


- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7wzyoACgkQ9CaO5/Lv0PB6HwCaArGDapXBeihGN8xEAoKOuBcj
Gl0AoKoRl+cD69acg6tqM4heB6Yr5BMu
=QAhi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org