tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tolerate expired certificates
Date Thu, 28 Apr 2011 14:57:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas,

On 4/26/2011 4:40 PM, Thomas Hill wrote:
> thanks for your reply. So does this mean no way on Tomcat 5.5? (as I
> won't switch to a newer version, especially 7.x  any time soon)

There is another way to install your trust manager: we used this
TrustManager with a foolish service that never renewed their
certificates and we kept getting similar errors -- although this was for
server certs and not client certs. I suppose the same technique works
for both, since a TrustManager has methods to cover both cases.

Try something like this:

        TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(X509Certificate[] certs,
                                               String authType) {
                }
                public void checkServerTrusted(X509Certificate[] certs,
                                               String authType) {
                }
            }
        };

        SSLContext sc = SSLContext.getInstance("SSL");

        sc.init(null, trustAllCerts, new java.security.SecureRandom());


HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());


That last line is specific to ignoring problems with /server/ certs when
contacting them through the HttpsURLConnection class. You'll have to
poke around to find out how to set the SSLContext and/or SocketFactory
for Tomcat's <Connector>s.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk25gFEACgkQ9CaO5/Lv0PBi2QCfUfpZcMoBsvSvIYYRU9xL6l6q
kGUAnA1ZZqzTTGxq0SbHxxCewwOEvQfV
=tFuG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message