Ignoring SSL certificate in Apache HttpClient 4 3

Question

How to ignore SSL certificate  trust all  for Apache HttpClient 4 3   All the answers that I have found on SO treat previous versions  and the API changed   Related    How to ignore SSL certificate errors in Apache HttpClient 4 0 How to handle invalid SSL certificates with Apache HttpClient  Need to trust all the certificates during the development using Spring Ignore SSL Certificate Errors with Java   Edit    It is only for test purposes  Kids  don t try it at home  or in production

User · Answer

One small addition to the answer by vasekt:

The provided solution with the SocketFactoryRegistry works when using PoolingHttpClientConnectionManager.

However, connections via plain http don't work any longer then. You have to add a PlainConnectionSocketFactory for the http protocol additionally to make them work again:

Registry<ConnectionSocketFactory> socketFactoryRegistry = 
  RegistryBuilder.<ConnectionSocketFactory> create()
  .register("https", sslsf)
  .register("http", new PlainConnectionSocketFactory()).build();

User · Answer

After trying various options  following configuration worked for both http and https  SSLContextBuilder builder   new SSLContextBuilder    builder loadTrustMaterial null  new TrustSelfSignedStrategy     SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory                  builder build    SSLConnectionSocketFactory ALLOW ALL HOSTNAME VERIFIER    Registry lt ConnectionSocketFactory gt  registry   RegistryBuilder                     lt ConnectionSocketFactory gt  create                    register  quot http quot   new PlainConnectionSocketFactory                     register  quot https quot   sslsf                   build     PoolingHttpClientConnectionManager cm   new PoolingHttpClientConnectionManager registry   cm setMaxTotal 2000    CloseableHttpClient httpClient   HttpClients custom                    setSSLSocketFactory sslsf                   setConnectionManager cm                   build     I am using http-client 4 3 3   compile  org apache httpcomponents httpclient 4 3 3

User · Answer

I would have added a comment directly to vasekt s answer but I don t have enough reputation points  not sure the logic there   Anyway    what I wanted to say is that even if you aren t explicitly creating asking for a PoolingConnection  doesn t mean you aren t getting one   I was going crazy trying to figure out why the original solution didn t work for me  but I ignored vasekt s answer as it  didn t apply to my case  - wrong    I was staring at my stack-trace when low and behold I saw a PoolingConnection in the middle of it   Bang - I tired his addition and success     our demo is tomorrow and I was getting desperate   -

User · Answer

If you are using PoolingHttpClientConnectionManager procedure above doesn t work  custom SSLContext is ignored  You have to pass socketFactoryRegistry in contructor when creating PoolingHttpClientConnectionManager   SSLContextBuilder builder   SSLContexts custom    builder loadTrustMaterial null  new TrustStrategy          Override     public boolean isTrusted X509Certificate   chain  String authType              throws CertificateException           return true            SSLContext sslContext   builder build    SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory          sslContext  new X509HostnameVerifier                  Override             public void verify String host  SSLSocket ssl                      throws IOException                               Override             public void verify String host  X509Certificate cert                      throws SSLException                               Override             public void verify String host  String   cns                      String   subjectAlts  throws SSLException                               Override             public boolean verify String s  SSLSession sslSession                    return true                             Registry lt ConnectionSocketFactory gt  socketFactoryRegistry   RegistryBuilder           lt ConnectionSocketFactory gt  create   register  https   sslsf           build     PoolingHttpClientConnectionManager cm   new PoolingHttpClientConnectionManager          socketFactoryRegistry   CloseableHttpClient httpclient   HttpClients custom            setConnectionManager cm  build

User · Answer

As an addition to the answer of  mavroprovato  if you want to trust all certificates instead of just self-signed  you d do  in the style of your code   builder loadTrustMaterial null  new TrustStrategy        public boolean isTrusted X509Certificate   chain  String authType          throws CertificateException           return true              or  direct copy-paste from my own code    import javax net ssl SSLContext  import org apache http ssl TrustStrategy  import org apache http ssl SSLContexts                   SSLContext sslContext   SSLContexts                  custom                     FIXME to contain real trust store                  loadTrustMaterial new TrustStrategy                          Override                     public boolean isTrusted X509Certificate   chain                          String authType  throws CertificateException                           return true                                                            build      And if you want to skip hostname verification as well  you need to set       CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory              sslsf  setSSLHostnameVerifier  NoopHostnameVerifier INSTANCE  build      as well   ALLOW ALL HOSTNAME VERIFIER is deprecated    Obligatory warning  you shouldn t really do this  accepting all certificates is a bad thing  However there are some rare use cases where you want to do this   As a note to code previously given  you ll want to close response even if httpclient execute   throws an exception  CloseableHttpResponse response   null  try       response   httpclient execute httpGet       System out println response getStatusLine         HttpEntity entity   response getEntity        EntityUtils consume entity     finally       if  response    null            response close              Code above was tested using   lt dependency gt       lt groupId gt org apache httpcomponents lt  groupId gt       lt artifactId gt httpclient lt  artifactId gt       lt version gt 4 5 3 lt  version gt   lt  dependency gt    And for the interested  here s my full test set   import org apache http HttpEntity  import org apache http client methods CloseableHttpResponse  import org apache http client methods HttpGet  import org apache http conn ssl NoopHostnameVerifier  import org apache http conn ssl SSLConnectionSocketFactory  import org apache http conn ssl TrustSelfSignedStrategy  import org apache http impl client CloseableHttpClient  import org apache http impl client HttpClients  import org apache http ssl SSLContextBuilder  import org apache http ssl TrustStrategy  import org apache http util EntityUtils  import org junit Test   import javax net ssl HostnameVerifier  import javax net ssl SSLHandshakeException  import javax net ssl SSLPeerUnverifiedException  import java security cert CertificateException  import java security cert X509Certificate   public class TrustAllCertificatesTest       final String expiredCertSite    https   expired badssl com        final String selfSignedCertSite    https   self-signed badssl com        final String wrongHostCertSite    https   wrong host badssl com         static final TrustStrategy trustSelfSignedStrategy   new TrustSelfSignedStrategy        static final TrustStrategy trustAllStrategy   new TrustStrategy            public boolean isTrusted X509Certificate   chain  String authType                  throws CertificateException               return true                         Test     public void testSelfSignedOnSelfSignedUsingCode   throws Exception           doGet selfSignedCertSite  trustSelfSignedStrategy              Test expected   SSLHandshakeException class      public void testExpiredOnSelfSignedUsingCode   throws Exception           doGet expiredCertSite  trustSelfSignedStrategy              Test expected   SSLPeerUnverifiedException class      public void testWrongHostOnSelfSignedUsingCode   throws Exception           doGet wrongHostCertSite  trustSelfSignedStrategy               Test     public void testSelfSignedOnTrustAllUsingCode   throws Exception           doGet selfSignedCertSite  trustAllStrategy              Test     public void testExpiredOnTrustAllUsingCode   throws Exception           doGet expiredCertSite  trustAllStrategy              Test expected   SSLPeerUnverifiedException class      public void testWrongHostOnTrustAllUsingCode   throws Exception           doGet wrongHostCertSite  trustAllStrategy               Test     public void testSelfSignedOnAllowAllUsingCode   throws Exception           doGet selfSignedCertSite  trustAllStrategy  NoopHostnameVerifier INSTANCE              Test     public void testExpiredOnAllowAllUsingCode   throws Exception           doGet expiredCertSite  trustAllStrategy  NoopHostnameVerifier INSTANCE              Test     public void testWrongHostOnAllowAllUsingCode   throws Exception           doGet expiredCertSite  trustAllStrategy  NoopHostnameVerifier INSTANCE              public void doGet String url  TrustStrategy trustStrategy  HostnameVerifier hostnameVerifier  throws Exception           SSLContextBuilder builder   new SSLContextBuilder            builder loadTrustMaterial trustStrategy           SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory                  builder build             CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory                  sslsf  setSSLHostnameVerifier hostnameVerifier  build             HttpGet httpGet   new HttpGet url           CloseableHttpResponse response   httpclient execute httpGet           try               System out println response getStatusLine                 HttpEntity entity   response getEntity                EntityUtils consume entity             finally               response close                        public void doGet String url  TrustStrategy trustStrategy  throws Exception            SSLContextBuilder builder   new SSLContextBuilder            builder loadTrustMaterial trustStrategy           SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory                  builder build             CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory                  sslsf  build             HttpGet httpGet   new HttpGet url           CloseableHttpResponse response   httpclient execute httpGet           try               System out println response getStatusLine                 HttpEntity entity   response getEntity                EntityUtils consume entity             finally               response close                         working test project in github

User · Answer

If you are using HttpClient 4 5 x  your code can be similar to the following   SSLContext sslContext   new SSLContextBuilder   loadTrustMaterial null          TrustSelfSignedStrategy INSTANCE  build    SSLConnectionSocketFactory sslSocketFactory   new SSLConnectionSocketFactory          sslContext  NoopHostnameVerifier INSTANCE    HttpClient httpClient   HttpClients custom                                       setDefaultCookieStore new BasicCookieStore                                        setSSLSocketFactory sslSocketFactory                                      build

User · Answer

Simpler and shorter working code      We are using HTTPClient 4 3 5 and we tried almost all solutions exist on the stackoverflow but nothing    After thinking and figuring out the problem  we come to the following code which works perfectly    just add it before creating HttpClient instance       some method which you use to make post request      SSLContextBuilder builder   new SSLContextBuilder        builder loadTrustMaterial null  new TrustStrategy              Override         public boolean isTrusted X509Certificate   chain  String authType  throws CertificateException               return true                         SSLConnectionSocketFactory sslSF   new SSLConnectionSocketFactory builder build                SSLConnectionSocketFactory ALLOW ALL HOSTNAME VERIFIER        HttpClient httpClient   HttpClients custom   setSSLSocketFactory sslSF  build        HttpPost postRequest   new HttpPost url        continue calling and using HttpPost instance in the normal form

User · Answer

Trust All Certs in Apache HTTP Client  TrustManager   trustAllCerts   new TrustManager                        new X509TrustManager                             public java security cert X509Certificate   getAcceptedIssuers                                 return null                                                    public void checkClientTrusted                              java security cert X509Certificate   certs  String authType                                                      public void checkServerTrusted                              java security cert X509Certificate   certs  String authType                                                                                  try                   SSLContext sc   SSLContext getInstance  SSL                    sc init null  trustAllCerts  new java security SecureRandom                     SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory                          sc                   httpclient   HttpClients custom   setSSLSocketFactory                          sslsf  build                    HttpsURLConnection setDefaultSSLSocketFactory sc getSocketFactory

User · Answer

Slight tweak to answer from  divbyzero above to fix sonar security warnings  CloseableHttpClient getInsecureHttpClient   throws GeneralSecurityException               TrustStrategy trustStrategy    chain  authType  - gt  true               HostnameVerifier hostnameVerifier    hostname  session  - gt  hostname equalsIgnoreCase session getPeerHost                  return HttpClients custom                        setSSLSocketFactory new SSLConnectionSocketFactory new SSLContextBuilder   loadTrustMaterial trustStrategy  build    hostnameVerifier                        build

User · Answer

Here s a working distillation of the above techniques  equivalent to  curl --insecure    HttpClient getInsecureHttpClient   throws GeneralSecurityException       TrustStrategy trustStrategy   new TrustStrategy              Override         public boolean isTrusted X509Certificate   chain  String authType                return true                        HostnameVerifier hostnameVerifier   new HostnameVerifier              Override         public boolean verify String hostname  SSLSession session                return true                        return HttpClients custom                setSSLSocketFactory new SSLConnectionSocketFactory                      new SSLContextBuilder   loadTrustMaterial trustStrategy  build                        hostnameVerifier                build

User · Answer

Initially  i was able to disable for localhost using trust strategy  later i added NoopHostnameVerifier  Now it will work for both localhost and any machine name  SSLContext sslContext   SSLContextBuilder create   loadTrustMaterial null  new TrustStrategy                   Override             public boolean isTrusted X509Certificate   chain  String authType  throws CertificateException                   return true                            build            SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory                  sslContext  NoopHostnameVerifier INSTANCE           CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory sslsf  build

User · Answer

On top of PoolingHttpClientConnectionManager along with Registry lt ConnectionSocketFactory gt  socketFactoryRegistry   RegistryBuilder  lt ConnectionSocketFactory gt  create   register  https   sslFactory  build    If you want an asynchronous httpclient using PoolingNHttpClientConnectionManager the code shoudl be similar to following  SSLContextBuilder builder   SSLContexts custom    builder loadTrustMaterial null  new TrustStrategy          Override     public boolean isTrusted X509Certificate   chain  String authType              throws CertificateException           return true            SSLContext sslContext   builder build    SchemeIOSessionStrategy sslioSessionStrategy   new SSLIOSessionStrategy sslContext                   new HostnameVerifier                 Override             public boolean verify String hostname  SSLSession session                    return true    TODO as of now allow all hostnames                           Registry lt SchemeIOSessionStrategy gt  sslioSessionRegistry   RegistryBuilder  lt SchemeIOSessionStrategy gt create   register  https   sslioSessionStrategy  build    PoolingNHttpClientConnectionManager ncm    new PoolingNHttpClientConnectionManager new DefaultConnectingIOReactor   sslioSessionRegistry   CloseableHttpAsyncClient asyncHttpClient   HttpAsyncClients custom   setConnectionManager ncm  build    asyncHttpClient start

User · Answer

The code below works for trusting self-signed certificates  You have to use the TrustSelfSignedStrategy when creating your client   SSLContextBuilder builder   new SSLContextBuilder    builder loadTrustMaterial null  new TrustSelfSignedStrategy     SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory          builder build     CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory          sslsf  build     HttpGet httpGet   new HttpGet  https   some-server    CloseableHttpResponse response   httpclient execute httpGet   try       System out println response getStatusLine         HttpEntity entity   response getEntity        EntityUtils consume entity     finally       response close        I did not include the SSLConnectionSocketFactory ALLOW ALL HOSTNAME VERIFIER on purpose  The point was to allow testing with self signed certificates so you don t have to acquire a proper certificate from a certification authority  You can easily create a self-signed certificate with the correct host name  so do that instead of adding the SSLConnectionSocketFactory ALLOW ALL HOSTNAME VERIFIER flag

User · Answer

class ApacheHttpClient                    This is a https get request that bypasses certificate checking and hostname verifier         It uses basis authentication method         It is tested with Apache httpclient-4 4         It dumps the contents of a https page on the console output         It is very similar to http get request  but with the additional customization of          - credential provider  and          - SSLConnectionSocketFactory to bypass certification checking and hostname verifier          param path String         param username String         param password String         throws IOException             public void get String path  String username  String password  throws IOException           final CloseableHttpClient httpClient   HttpClients custom                    setDefaultCredentialsProvider createCredsProvider username  password                    setSSLSocketFactory createGenerousSSLSocketFactory                     build             final CloseableHttpResponse response   httpClient execute new HttpGet path            try               HttpEntity entity   response getEntity                if  entity    null                  return              System out println EntityUtils toString entity              finally               response close                httpClient close                         private CredentialsProvider createCredsProvider String username  String password            CredentialsProvider credsProvider   new BasicCredentialsProvider            credsProvider setCredentials                  AuthScope ANY                  new UsernamePasswordCredentials username  password            return credsProvider                                  return SSLConnectionSocketFactory that bypass certificate check and bypass HostnameVerifier             private SSLConnectionSocketFactory createGenerousSSLSocketFactory             SSLContext sslContext          try               sslContext   SSLContext getInstance  SSL                sslContext init null  new TrustManager   createGenerousTrustManager     new SecureRandom               catch  KeyManagementException   NoSuchAlgorithmException e                e printStackTrace                return null                    return new SSLConnectionSocketFactory sslContext  NoopHostnameVerifier INSTANCE              private X509TrustManager createGenerousTrustManager             return new X509TrustManager                  Override             public void checkClientTrusted X509Certificate   cert  String s  throws CertificateException                               Override             public void checkServerTrusted X509Certificate   cert  String s  throws CertificateException                               Override             public X509Certificate   getAcceptedIssuers                     return null

User · Answer

You can use following code snippet for get the HttpClient instance without ssl certification checking   private HttpClient getSSLHttpClient   throws KeyStoreException  NoSuchAlgorithmException  KeyManagementException            LogLoader serverLog trace  In getSSLHttpClient               SSLContext context   SSLContext getInstance  SSL             TrustManager tm   new X509TrustManager                 public void checkClientTrusted X509Certificate   chain  String authType  throws CertificateException                              public void checkServerTrusted X509Certificate   chain  String authType  throws CertificateException                              public X509Certificate   getAcceptedIssuers                     return null                                    context init null  new TrustManager     tm    null            HttpClientBuilder builder   HttpClientBuilder create            SSLConnectionSocketFactory sslConnectionFactory   new SSLConnectionSocketFactory context           builder setSSLSocketFactory sslConnectionFactory            PlainConnectionSocketFactory plainConnectionSocketFactory   new PlainConnectionSocketFactory            Registry lt ConnectionSocketFactory gt  registry   RegistryBuilder  lt ConnectionSocketFactory gt create                    register  https   sslConnectionFactory  register  http   plainConnectionSocketFactory  build             PoolingHttpClientConnectionManager ccm   new PoolingHttpClientConnectionManager registry           ccm setMaxTotal BaseConstant CONNECTION POOL SIZE           ccm setDefaultMaxPerRoute BaseConstant CONNECTION POOL SIZE           builder setConnectionManager  HttpClientConnectionManager  ccm            builder disableRedirectHandling             LogLoader serverLog trace  Out getSSLHttpClient               return builder build

User · Answer

When using http client 4 5 I had to use the javasx net ssl HostnameVerifier to allow any hostname  for testing purposes   Here is what I ended up doing   CloseableHttpClient httpClient   null      try           SSLContextBuilder sslContextBuilder   new SSLContextBuilder            sslContextBuilder loadTrustMaterial null  new TrustSelfSignedStrategy              HostnameVerifier hostnameVerifierAllowAll   new HostnameVerifier                                  public boolean verify String hostname  SSLSession session                        return true                                            SSLConnectionSocketFactory sslSocketFactory   new SSLConnectionSocketFactory sslContextBuilder build    hostnameVerifierAllowAll            CredentialsProvider credsProvider   new BasicCredentialsProvider            credsProvider setCredentials              new AuthScope  192 168 30 34   8443               new UsernamePasswordCredentials  root    password              httpClient   HttpClients custom                setSSLSocketFactory sslSocketFactory               setDefaultCredentialsProvider credsProvider               build             HttpGet httpGet   new HttpGet  https   192 168 30 34 8443 axis services getStuff firstResult 0 amp maxResults 1000             CloseableHttpResponse response   httpClient execute httpGet            int httpStatus   response getStatusLine   getStatusCode            if  httpStatus  gt   200  amp  amp  httpStatus  lt  300                    else               throw new ClientProtocolException  Unexpected response status      httpStatus                    catch  Exception ex            ex printStackTrace              finally           try               httpClient close              catch  IOException ex                logger error  Error while closing the HTTP client     ex

[java] Ignoring SSL certificate in Apache HttpClient 4.3

Examples related to java

Examples related to ssl

Examples related to apache-httpcomponents