Geek Answers Handbook

How do I force Apache Commons HttpClient 3.1 to ignore an invalid HTTPS certificate?

I am trying to get the Apache Commons HttpClient library (version 3.1) to ignore the fact that the server certificate cannot be installed as trusted (as can be seen from the javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target discarded javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ).

I found Connecting to an HTTPS server with Java and ignoring the validity of the security certificate , and also Disable certificate verification in Java SSL Connections , but the accepted answer to the first is for HttpClient 4.0 (unfortunately, I can’t update, unless someone can tell me how to use two different versions of the same library within the same project), although it has another answer with a slightly more dead link, which supposedly got into solution 3.x. The code on the second page does not seem to have any effect when I use a slightly adjusted version (basically declaring classes as old rather than using anonymous built-in, and also applying to TLS in addition to SSL , using SSL for the default HTTPS socket factory, as is done in the sample code).

Preferably, I need something that is a stream / instance, so any HttpClient instance (and / or related classes) created from my servlet code (and not another servlet running in the same container) will use weak certificate validation logic, but at that moment I start to feel that something will do while it accepts the self-signed certificate as valid.

Yes, I know there are security implications, but the only reason I need it is testing. The idea is to implement a configuration parameter that controls whether trusted or untrusted certificates are trustworthy or not, and leave it at the default “do not trust incontrovertible server certificates”. Thus, it can be easily turned on or off during the development process, but its production will require a way out of one path.

+7
source share
1 answer

To accept self-signed certificates, we use the following code for a specific HttpConnection from a common http client.

 HttpConnection con = new HttpConnection(host, port); con.setProtocol(new Protocol("easyhttps", (ProtocolSocketFactory)new EasySSLProtocolSocketFactory(), port));

EasySSLProtocolSocketFactory can be found in contrib ssl package. And this can be used to create only individual connections with a reduced security setting. It seems that this can also be used to set the protocol for each client, as shown here:

 Protocol easyhttps = new Protocol("https", (ProtocolSocketFactory)new EasySSLProtocolSocketFactory(), 443); Protocol.registerProtocol("https", easyhttps); HttpClient client = new HttpClient(); GetMethod httpget = new GetMethod("https://localhost/"); client.executeMethod(httpget);

But I think this will also affect connections to other servlets.

[Edit] Sorry, I don't know if this will work for you. Just admitted that we are using client 3.0.1, not 3.1.

+11
source

More articles:


All Articles