Skip to Content
Last modified by Pascal Robert on 2007/09/03 19:33
From version 3.1
edited by Francis Labrie
on 2007/07/12 21:31
Change comment: There is no comment for this version
To version 6.2
edited by Pascal Robert
on 2007/09/03 19:33
Change comment: Changed document parent to [xwiki:documentation.Home.Development Architecture.Web Services.WebHome].

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Programming__WebObjects-Web Services-How to Trust Any SSL Certificate
1 +Web Services-How to Trust Any SSL Certificate
Parent
... ... @@ -1,0 +1,1 @@
1 +documentation.Home.Development Architecture.Web Services.WebHome
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.flabrie
1 +XWiki.probert
Content
... ... @@ -1,4 +1,4 @@
1 -== Francis Labrie ==
1 +== Francis Labrie ==
2 2  
3 3  Sometimes, it's would be useful to relax the Java security manager to allow connection to secure HTTP server using self-signed certificate, especially during development phase. To avoid Java exception on HTTPS connection, it's possible to add self signed certificate to the Java trusted X509 certificate repository using Java keystore command line tool:
4 4  
... ... @@ -13,14 +13,14 @@
13 13  
14 14  But this can be painful, even more if the application must be tested with various servers using self-signed or bad defined certificate. And if a server is using a certificate with a hostname different from the one you use to test it, it will still fail.
15 15  
16 -It's also possible to change the ##TrustManager## and ##HostnameVerifier## in Java code, but the API did change from JDK 1.3 and 1.4. Unfortunately, the old deprecated ##"com.sun.net.ssl"## package is still available, making setting of a custom ##TrustManager## and ##HostnameVerifier## a bit difficult.
16 +It's also possible to change the {{code language="none"}}TrustManager{{/code}} and {{code language="none"}}HostnameVerifier{{/code}} in Java code, but the API did change from JDK 1.3 and 1.4. Unfortunately, the old deprecated {{code language="none"}}"com.sun.net.ssl"{{/code}} package is still available, making setting of a custom {{code language="none"}}TrustManager{{/code}} and {{code language="none"}}HostnameVerifier{{/code}} a bit difficult.
17 17  
18 18  So I've created an utility class that allow relaxing of the SSL trust rules. Simply add it to a package, an application or a framework, and call:
19 19  
20 -* ##SSLUtilities.trustAllHostnames()## to turn off the default hostname verification on HTTPS connection;
21 -* ##SSLUtilities.trustAllHttpsCertificates()## to turn off the default certificate validation on HTTPS connection.
20 +* {{code language="none"}}SSLUtilities.trustAllHostnames(){{/code}} to turn off the default hostname verification on HTTPS connection;
21 +* {{code language="none"}}SSLUtilities.trustAllHttpsCertificates(){{/code}} to turn off the default certificate validation on HTTPS connection.
22 22  
23 -{{code title="SSLUtilities.java"}}
23 +{{code 0="java" title="SSLUtilities.java"}}
24 24  
25 25  import java.security.GeneralSecurityException;
26 26  import java.security.SecureRandom;
... ... @@ -32,13 +32,13 @@
32 32  import javax.net.ssl.X509TrustManager;
33 33  
34 34  /**
35 - * This class provide various static methods that relax X509 certificate and
35 + * This class provide various static methods that relax X509 certificate and
36 36   * hostname verification while using the SSL over the HTTP protocol.
37 37   *
38 38   * @author Francis Labrie
39 39   */
40 40  public final class SSLUtilities {
41 -
41 +
42 42   /**
43 43   * Hostname verifier for the Sun's deprecated API.
44 44   *
... ... @@ -62,8 +62,8 @@
62 62  
63 63  
64 64   /**
65 - * Set the default Hostname Verifier to an instance of a fake class that
66 - * trust all hostnames. This method uses the old deprecated API from the
65 + * Set the default Hostname Verifier to an instance of a fake class that
66 + * trust all hostnames. This method uses the old deprecated API from the
67 67   * <code>com.sun.ssl</code> package.
68 68   *
69 69   * @deprecated see {@link #_trustAllHostnames()}.
... ... @@ -77,10 +77,10 @@
77 77   com.sun.net.ssl.HttpsURLConnection.
78 78   setDefaultHostnameVerifier(__hostnameVerifier);
79 79   } // __trustAllHttpsCertificates
80 -
80 +
81 81   /**
82 - * Set the default X509 Trust Manager to an instance of a fake class that
83 - * trust all certificates, even the self-signed ones. This method uses the
82 + * Set the default X509 Trust Manager to an instance of a fake class that
83 + * trust all certificates, even the self-signed ones. This method uses the
84 84   * old deprecated API from the <code>com.sun.ssl</code> package.
85 85   *
86 86   * @deprecated see {@link #_trustAllHttpsCertificates()}.
... ... @@ -87,10 +87,10 @@
87 87   */
88 88   private static void __trustAllHttpsCertificates() {
89 89   com.sun.net.ssl.SSLContext context;
90 -
90 +
91 91   // Create a trust manager that does not validate certificate chains
92 92   if(__trustManagers == null) {
93 - __trustManagers = new com.sun.net.ssl.TrustManager[]
93 + __trustManagers = new com.sun.net.ssl.TrustManager[]
94 94   {new _FakeX509TrustManager()};
95 95   } // if
96 96   // Install the all-trusting trust manager
... ... @@ -107,11 +107,11 @@
107 107   /**
108 108   * Return <code>true</code> if the protocol handler property <code>java.
109 109   * protocol.handler.pkgs</code> is set to the Sun's <code>com.sun.net.ssl.
110 - * internal.www.protocol</code> deprecated one, <code>false</code>
110 + * internal.www.protocol</code> deprecated one, <code>false</code>
111 111   * otherwise.
112 112   *
113 - * @return <code>true</code> if the protocol handler
114 - * property is set to the Sun's deprecated one, <code>false</code>
113 + * @return <code>true</code> if the protocol handler
114 + * property is set to the Sun's deprecated one, <code>false</code>
115 115   * otherwise.
116 116   */
117 117   private static boolean isDeprecatedSSLProtocol() {
... ... @@ -120,7 +120,7 @@
120 120   } // isDeprecatedSSLProtocol
121 121  
122 122   /**
123 - * Set the default Hostname Verifier to an instance of a fake class that
123 + * Set the default Hostname Verifier to an instance of a fake class that
124 124   * trust all hostnames.
125 125   */
126 126   private static void _trustAllHostnames() {
... ... @@ -131,14 +131,14 @@
131 131   // Install the all-trusting host name verifier:
132 132   HttpsURLConnection.setDefaultHostnameVerifier(_hostnameVerifier);
133 133   } // _trustAllHttpsCertificates
134 -
134 +
135 135   /**
136 - * Set the default X509 Trust Manager to an instance of a fake class that
136 + * Set the default X509 Trust Manager to an instance of a fake class that
137 137   * trust all certificates, even the self-signed ones.
138 138   */
139 139   private static void _trustAllHttpsCertificates() {
140 140   SSLContext context;
141 -
141 +
142 142   // Create a trust manager that does not validate certificate chains
143 143   if(_trustManagers == null) {
144 144   _trustManagers = new TrustManager[] {new FakeX509TrustManager()};
... ... @@ -155,7 +155,7 @@
155 155   } // _trustAllHttpsCertificates
156 156  
157 157   /**
158 - * Set the default Hostname Verifier to an instance of a fake class that
158 + * Set the default Hostname Verifier to an instance of a fake class that
159 159   * trust all hostnames.
160 160   */
161 161   public static void trustAllHostnames() {
... ... @@ -166,9 +166,9 @@
166 166   _trustAllHostnames();
167 167   } // else
168 168   } // trustAllHostnames
169 -
169 +
170 170   /**
171 - * Set the default X509 Trust Manager to an instance of a fake class that
171 + * Set the default X509 Trust Manager to an instance of a fake class that
172 172   * trust all certificates, even the self-signed ones.
173 173   */
174 174   public static void trustAllHttpsCertificates() {
... ... @@ -179,9 +179,9 @@
179 179   _trustAllHttpsCertificates();
180 180   } // else
181 181   } // trustAllHttpsCertificates
182 -
182 +
183 183   /**
184 - * This class implements a fake hostname verificator, trusting any host
184 + * This class implements a fake hostname verificator, trusting any host
185 185   * name. This class uses the old deprecated API from the <code>com.sun.
186 186   * ssl</code> package.
187 187   *
... ... @@ -189,17 +189,17 @@
189 189   *
190 190   * @deprecated see {@link SSLUtilities.FakeHostnameVerifier}.
191 191   */
192 - public static class _FakeHostnameVerifier
192 + public static class _FakeHostnameVerifier
193 193   implements com.sun.net.ssl.HostnameVerifier {
194 -
194 +
195 195   /**
196 - * Always return <code>true</code>, indicating that the host name is an
196 + * Always return <code>true</code>, indicating that the host name is an
197 197   * acceptable match with the server's authentication scheme.
198 198   *
199 199   * @param hostname the host name.
200 - * @param session the SSL session used on the connection to
200 + * @param session the SSL session used on the connection to
201 201   * host.
202 - * @return the <code>true</code> boolean value
202 + * @return the <code>true</code> boolean value
203 203   * indicating the host name is trusted.
204 204   */
205 205   public boolean verify(String hostname, String session) {
... ... @@ -209,9 +209,9 @@
209 209  
210 210  
211 211   /**
212 - * This class allow any X509 certificates to be used to authenticate the
213 - * remote side of a secure socket, including self-signed certificates. This
214 - * class uses the old deprecated API from the <code>com.sun.ssl</code>
212 + * This class allow any X509 certificates to be used to authenticate the
213 + * remote side of a secure socket, including self-signed certificates. This
214 + * class uses the old deprecated API from the <code>com.sun.ssl</code>
215 215   * package.
216 216   *
217 217   * @author Francis Labrie
... ... @@ -218,42 +218,42 @@
218 218   *
219 219   * @deprecated see {@link SSLUtilities.FakeX509TrustManager}.
220 220   */
221 - public static class _FakeX509TrustManager
221 + public static class _FakeX509TrustManager
222 222   implements com.sun.net.ssl.X509TrustManager {
223 -
223 +
224 224   /**
225 225   * Empty array of certificate authority certificates.
226 226   */
227 - private static final X509Certificate[] _AcceptedIssuers =
227 + private static final X509Certificate[] _AcceptedIssuers =
228 228   new X509Certificate[] {};
229 -
230 -
229 +
230 +
231 231   /**
232 - * Always return <code>true</code>, trusting for client SSL
232 + * Always return <code>true</code>, trusting for client SSL
233 233   * <code>chain</code> peer certificate chain.
234 234   *
235 235   * @param chain the peer certificate chain.
236 - * @return the <code>true</code> boolean value
236 + * @return the <code>true</code> boolean value
237 237   * indicating the chain is trusted.
238 238   */
239 239   public boolean isClientTrusted(X509Certificate[] chain) {
240 240   return(true);
241 241   } // checkClientTrusted
242 -
242 +
243 243   /**
244 - * Always return <code>true</code>, trusting for server SSL
244 + * Always return <code>true</code>, trusting for server SSL
245 245   * <code>chain</code> peer certificate chain.
246 246   *
247 247   * @param chain the peer certificate chain.
248 - * @return the <code>true</code> boolean value
248 + * @return the <code>true</code> boolean value
249 249   * indicating the chain is trusted.
250 250   */
251 251   public boolean isServerTrusted(X509Certificate[] chain) {
252 252   return(true);
253 253   } // checkServerTrusted
254 -
254 +
255 255   /**
256 - * Return an empty array of certificate authority certificates which
256 + * Return an empty array of certificate authority certificates which
257 257   * are trusted for authenticating peers.
258 258   *
259 259   * @return a empty array of issuer certificates.
... ... @@ -265,24 +265,24 @@
265 265  
266 266  
267 267   /**
268 - * This class implements a fake hostname verificator, trusting any host
268 + * This class implements a fake hostname verificator, trusting any host
269 269   * name.
270 270   *
271 271   * @author Francis Labrie
272 272   */
273 273   public static class FakeHostnameVerifier implements HostnameVerifier {
274 -
274 +
275 275   /**
276 - * Always return <code>true</code>, indicating that the host name is
276 + * Always return <code>true</code>, indicating that the host name is
277 277   * an acceptable match with the server's authentication scheme.
278 278   *
279 279   * @param hostname the host name.
280 - * @param session the SSL session used on the connection to
280 + * @param session the SSL session used on the connection to
281 281   * host.
282 - * @return the <code>true</code> boolean value
282 + * @return the <code>true</code> boolean value
283 283   * indicating the host name is trusted.
284 284   */
285 - public boolean verify(String hostname,
285 + public boolean verify(String hostname,
286 286   javax.net.ssl.SSLSession session) {
287 287   return(true);
288 288   } // verify
... ... @@ -290,7 +290,7 @@
290 290  
291 291  
292 292   /**
293 - * This class allow any X509 certificates to be used to authenticate the
293 + * This class allow any X509 certificates to be used to authenticate the
294 294   * remote side of a secure socket, including self-signed certificates.
295 295   *
296 296   * @author Francis Labrie
... ... @@ -300,35 +300,35 @@
300 300   /**
301 301   * Empty array of certificate authority certificates.
302 302   */
303 - private static final X509Certificate[] _AcceptedIssuers =
303 + private static final X509Certificate[] _AcceptedIssuers =
304 304   new X509Certificate[] {};
305 305  
306 306  
307 307   /**
308 - * Always trust for client SSL <code>chain</code> peer certificate
308 + * Always trust for client SSL <code>chain</code> peer certificate
309 309   * chain with any <code>authType</code> authentication types.
310 310   *
311 311   * @param chain the peer certificate chain.
312 - * @param authType the authentication type based on the client
312 + * @param authType the authentication type based on the client
313 313   * certificate.
314 314   */
315 - public void checkClientTrusted(X509Certificate[] chain,
315 + public void checkClientTrusted(X509Certificate[] chain,
316 316   String authType) {
317 317   } // checkClientTrusted
318 -
318 +
319 319   /**
320 - * Always trust for server SSL <code>chain</code> peer certificate
320 + * Always trust for server SSL <code>chain</code> peer certificate
321 321   * chain with any <code>authType</code> exchange algorithm types.
322 322   *
323 323   * @param chain the peer certificate chain.
324 324   * @param authType the key exchange algorithm used.
325 325   */
326 - public void checkServerTrusted(X509Certificate[] chain,
326 + public void checkServerTrusted(X509Certificate[] chain,
327 327   String authType) {
328 328   } // checkServerTrusted
329 -
329 +
330 330   /**
331 - * Return an empty array of certificate authority certificates which
331 + * Return an empty array of certificate authority certificates which
332 332   * are trusted for authenticating peers.
333 333   *
334 334   * @return a empty array of issuer certificates.