SSL Self-Signed Certificates

Thread view:

Stefan Schulz - 19 Jan 2005 19:28 GMT

I have a problem with SSL-Sockets. I try to connect to hosts that use SSL
for encryption only, and therefore do not have a valid certificate chain
to some root CA. Since i potentially have to deal with a lot of these
hosts, having the user import them as CA's is impractical to say the
least. Is there a way to prevent the server verification from happening,
that SSL just decides that _any_ certificate is good?

Signature

In pioneer days they used oxen for heavy pulling, and when one ox
couldn't budge a log, they didn't try to grow a larger ox. We shouldn't
be trying for bigger computers, but for more systems of computers.
--- Rear Admiral Grace Murray Hopper

Reply to this Message

Alexey Shklyaev - 19 Jan 2005 19:40 GMT

> I have a problem with SSL-Sockets. I try to connect to hosts that use SSL
> for encryption only, and therefore do not have a valid certificate chain
> to some root CA. Since i potentially have to deal with a lot of these
> hosts, having the user import them as CA's is impractical to say the
> least. Is there a way to prevent the server verification from happening,
> that SSL just decides that _any_ certificate is good?

I had the same problem, but the only way I found was importing the needed
certs into cacerts file. If you find a solution, please let me know

Reply to this Message

Stefan Schulz - 19 Jan 2005 23:57 GMT

> I had the same problem, but the only way I found was importing the needed
> certs into cacerts file. If you find a solution, please let me know

After buggering the javadocs, i finally stumbled across the SSLContext
class, which seems to be the key to this nasty bit of work. The final
results look like this (no idea if it is _supposed_ to work like this, but
this does it's job)

try {
// defer init to be able to create meaningful exceptions
synchronized (SSLConnection.class){
if (factory == null){
SSLContext ctx = SSLContext.getInstance("SSL");

TrustManager manager = new X509TrustManager(){
public void
checkClientTrusted(X509Certificate[] arg0, String arg1) {}

public void
checkServerTrusted(X509Certificate[] arg0, String arg1) {}

public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
};

ctx.init(null, new TrustManager[] {manager}, null);
factory = ctx.getSocketFactory();
}
}
} catch (NoSuchAlgorithmException e) {
IOException ioe = new IOException("Could not initialize SSL Algorithm");
ioe.initCause(e);

throw ioe;
} catch (KeyManagementException e) {
IOException ioe = new IOException("SSL key management failure");
ioe.initCause(e);

throw ioe;
}

Signature

Reply to this Message

SSL Self-Signed Certificates

Free Magazines