tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kareem_s_m <kareemud...@gmail.com>
Subject Re: [OT] Ignore or Trust any certificate
Date Sat, 11 Jul 2009 21:38:18 GMT

Thank You. I was aware of importing the certificate using keytool and the
java code to trust all certificates. I was just wondering if there was a way
to do the latter at tomcat level. Looks like thats not possible. Thank you
all for your replies.

Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Kareem,
> 
> On 7/10/2009 2:46 PM, kareem_s_m wrote:
>> Is there a way in tomcat to ignore or trust any SSL certificate when
>> connecting to a site through https? I know there is some JAVA code for
>> it.
>> But can we do it through tomcat or JVM settings too?
> 
> As others have said, this is not an issue with Tomcat; it is an issue
> with the way you are connecting to the remote server.
> 
> To /actually/ answer your question, allow me to post a README (written
> by me) that we keep lying around our development servers for just this
> purpose. You'll find the text following my signature. I hope it helps:
> we use these techniques all the time in order to avoid SSL handshake
> errors.
> 
> I realize that some of the items mentioned might not be useful to you,
> but others may learn something. Enjoy.
> 
> - -chris
> 
> ================================================================
>        Getting Java to Play Nice with SSL Connections
> ================================================================
> 
> This README serves to instruct the user in the fine art of
> dealing with Java and SSL certificates.
> 
> These instructions will help most when you are trying to
> make an SSL connection to a remote host when that host has
> an SSL certificate that is either self-signed, used for
> demo or testing purpuses, or is signed by a certificate
> authority (CA) that you do not trust.
> 
> If you do not trust the CA, you might want to think again
> about doing business with the server. In any case, read on
> for how to install such a certificate.
> 
> First of all, if the server to which you are connecting has
> a valid certificate that has been signed by a well-known
> CA, then you probably don't have to do anything. Try your
> connection to see if it works. If you get an exception like
> this, then keep reading:
> 
> sun.security.validator.ValidatorException: No trusted certificate found
>     at
> sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
>     at
> sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
>     at sun.security.validator.Validator.validate(Validator.java:202)
> 
> This exception is thrown because you do not trust the certificate
> that has been handed to you by the server. Assuming that you want
> the connection to work properly, you have several options.
> 
> ================================================================
> Import the certificate into your own keystore, making it trusted.
> ================================================================
> 
> Here is one way to do it:
> 
> 1. Visit your site in SSL mode with a browser that allows you to save
>    a copy of the certificate to a file (Microsoft Internet Explorer
>    will allow you to do this).
> 
> 2. Save the certificate to a file. With MSIE, you can go to
>    "File | Properties" and then click the "Certificates" button.
>    From there, choose the "details" tab and then click the
>    "Copy to File" button. This will launch a short wizard to export
>    the cert. Choose "DER encoded binary X.509" and save the file
>    somewhere.
> 
> 3. Import that cert into your keystore.
> 
>    $ keytool -import -file [the cert file] -keystore [the key store]
> 
>    Although you should be able to use the keystore of the user
>    that is running the Java process (~/.keystore), I've found that
>    it doesn't always work that way. You might have to modify the
>    keystore for the JRE itself, which is usually located in
>    $JAVA_HOME/jre/lib/security/cacerts.
> 
>    You might want to save a backup copy of the cacerts file before
>    you start messing with it.
> 
> Steps 1 and 2 can be replaced with a single openssl invocation if you
> have access to the server's private key:
> 
>    $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform
> DER
> 
> Use the resulting file ([public cert]) in step #3. Openssl will also
> dump a public key to standard output, which can be ignored.
> 
> ================================================================
> Disable Certification Validation, Avoiding the Problem
> ================================================================
> 
> Note that this will disable certificate checking for all SSL
> connections, and not just those for which validation should be skipped.
> Actually, you can modify this technique for use on a per-connection
> basis if you have access to the HttpURLConnection object used for the
> connection itself.
> 
> This code was written and tested on JDK 1.4.2_09.
> 
> You need to execute this code before you attempt to make an SSL
> connection.
> 
>     import java.security.KeyManagementException;
>     import java.security.NoSuchAlgorithmException;
>     import javax.net.ssl.SSLContext;
>     import javax.net.ssl.TrustManager;
>     import javax.net.ssl.X509TrustManager;
>     import javax.net.ssl.HttpsURLConnection;
> 
>     public static void disableSSLCertificateChecking()
>     {
>         TrustManager[] trustAllCerts = new TrustManager[] {
>             new X509TrustManager() {
>                 public X509Certificate[] getAcceptedIssuers() {
>                     return null;
>                 }
>                 public void checkClientTrusted(X509Certificate[] certs,
>                                                String authType) {
>                 }
>                 public void checkServerTrusted(X509Certificate[] certs,
>                                                String authType) {
>                 }
>             }
>         };
> 
>         try
>         {
>             SSLContext sc = SSLContext.getInstance("SSL");
> 
>             sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
> 
> 
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
>         }
>         catch (KeyManagementException kme)
>         {
>             kme.printStackTrace();
>         }
>         catch (NoSuchAlgorithmException nsae)
>         {
>             nsae.printStackTrace();
>         }
>     }
> 
> 
> If you have access to the individial HttpURLConnection objects that will
> be used to make SSL connections, you can disable them on a per-instance
> basis by using HttpURLConnection.setSocketFactory(sc.getSocketFactory())
> instead of using HttpURLConnection.setDefaultSSLSocketFactory and
> changing the socket factory globally.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkpY8aIACgkQ9CaO5/Lv0PBmpQCePjKef1z15yIKnKvO+1L6KEAK
> WZoAn10b6D3/+tBS7tGGGPK45rvAT5XM
> =HLH5
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Ignore--or-Trust-any-certificate-tp24432691p24444084.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message