Trusting all certificates using HttpClient over HTTPS

Question

Recently posted a question regarding the HttpClient over Https  found here    I ve made some headway  but I ve run into new issues  As with my last problem  I can t seem to find an example anywhere that works for me  Basically  I want my client to accept any certificate  because I m only ever pointing to one server  but I keep getting a javax net ssl SSLException  Not trusted server certificate exception   So this is what I have        public void connect   throws A WHOLE BUNCH OF EXCEPTIONS            HttpPost post   new HttpPost new URI PROD URL            post setEntity new StringEntity BODY             KeyStore trusted   KeyStore getInstance  BKS            trusted load null     toCharArray             SSLSocketFactory sslf   new SSLSocketFactory trusted           sslf setHostnameVerifier SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER            SchemeRegistry schemeRegistry   new SchemeRegistry            schemeRegistry register new Scheme   https   sslf  443            SingleClientConnManager cm   new SingleClientConnManager post getParams                    schemeRegistry            HttpClient client   new DefaultHttpClient cm  post getParams             HttpResponse result   client execute post           And here s the error I m getting       W System err   901   javax net ssl SSLException  Not trusted server certificate      W System err   901      at org apache harmony xnet provider jsse OpenSSLSocketImpl startHandshake OpenSSLSocketImpl java 360       W System err   901      at org apache http conn ssl AbstractVerifier verify AbstractVerifier java 92       W System err   901      at org apache http conn ssl SSLSocketFactory connectSocket SSLSocketFactory java 321       W System err   901      at org apache http impl conn DefaultClientConnectionOperator openConnection DefaultClientConnectionOperator java 129       W System err   901      at org apache http impl conn AbstractPoolEntry open AbstractPoolEntry java 164       W System err   901      at org apache http impl conn AbstractPooledConnAdapter open AbstractPooledConnAdapter java 119       W System err   901      at org apache http impl client DefaultRequestDirector execute DefaultRequestDirector java 348       W System err   901      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 555       W System err   901      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 487       W System err   901      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 465       W System err   901      at me harrisonlee test ssl MainActivity connect MainActivity java 129       W System err   901      at me harrisonlee test ssl MainActivity access 0 MainActivity java 77       W System err   901      at me harrisonlee test ssl MainActivity 2 run MainActivity java 49       W System err   901   Caused by  java security cert CertificateException  java security InvalidAlgorithmParameterException  the trust anchors set is empty      W System err   901      at org apache harmony xnet provider jsse TrustManagerImpl checkServerTrusted TrustManagerImpl java 157       W System err   901      at org apache harmony xnet provider jsse OpenSSLSocketImpl startHandshake OpenSSLSocketImpl java 355       W System err   901          12 more      W System err   901   Caused by  java security InvalidAlgorithmParameterException  the trust anchors set is empty      W System err   901      at java security cert PKIXParameters checkTrustAnchors PKIXParameters java 645       W System err   901      at java security cert PKIXParameters  lt init gt  PKIXParameters java 89       W System err   901      at org apache harmony xnet provider jsse TrustManagerImpl  lt init gt  TrustManagerImpl java 89       W System err   901      at org apache harmony xnet provider jsse TrustManagerFactoryImpl engineGetTrustManagers TrustManagerFactoryImpl java 134       W System err   901      at javax net ssl TrustManagerFactory getTrustManagers TrustManagerFactory java 226 W System err   901       at org apache http conn ssl SSLSocketFactory createTrustManagers SSLSocketFactory java 263       W System err   901      at org apache http conn ssl SSLSocketFactory  lt init gt  SSLSocketFactory java 190       W System err   901      at org apache http conn ssl SSLSocketFactory  lt init gt  SSLSocketFactory java 216       W System err   901      at me harrisonlee test ssl MainActivity connect MainActivity java 107       W System err   901          2 more

User · Answer

enter image description here

A sspi failed in xamarin android.

I found this solution; put this code before you hit on an HTTPS link

const SslProtocols _Tls12 = (SslProtocols)0x00000C00;
const SecurityProtocolType Tls12 = (SecurityProtocolType)_Tls12;
ServicePointManager.SecurityProtocol = Tls12;

User · Answer

This is a bad idea   Trusting any certificate is only  very  slightly better than using no SSL at all   When you say  I want my client to accept any certificate  because I m only ever pointing to one server   you are assuming this means that somehow pointing to  one server  is safe  which it s not on a public network     You are completely open to a man-in-the-middle attack by trusting any certificate   Anyone can proxy your connection by establishing a separate SSL connection with you and with the end server   The MITM then has access to your entire request and response   Unless you didn t really need SSL in the first place  your message has nothing sensitive  and doesn t do authentication  you shouldn t trust all certificates blindly     You should consider adding the public cert to a jks using keytool  and using that to build your socket factory  such as this       KeyStore ks   KeyStore getInstance  JKS            get user password and file input stream     char   password     mykspassword    toCharArray        ClassLoader cl   this getClass   getClassLoader        InputStream stream   cl getResourceAsStream  myjks jks        ks load stream  password       stream close         SSLContext sc   SSLContext getInstance  TLS        KeyManagerFactory kmf   KeyManagerFactory getInstance  SunX509        TrustManagerFactory tmf   TrustManagerFactory getInstance  SunX509         kmf init ks  password       tmf init ks        sc init kmf getKeyManagers    tmf getTrustManagers   null        return sc getSocketFactory      This has one caveat to watch out for   The certificate will expire eventually  and the code will stop working at that time   You can easily determine when this will happen by looking at the cert

User · Answer

For those who would like to allow all certificates to work  for testing purposes  over OAuth  follow these steps   1  Download the source code of the Android OAuth API here  https   github com kaeppler signpost  2  Find the file  CommonsHttpOAuthProvider  class  3  Change it as below   public class CommonsHttpOAuthProvider extends AbstractOAuthProvider    private static final long serialVersionUID   1L   private transient HttpClient httpClient   public CommonsHttpOAuthProvider String requestTokenEndpointUrl  String accessTokenEndpointUrl          String authorizationWebsiteUrl        super requestTokenEndpointUrl  accessTokenEndpointUrl  authorizationWebsiteUrl           this httpClient   new DefaultHttpClient     Version implemented and that throws the famous  javax net ssl SSLException  Not trusted server certificate  if the certificate is not signed with a CA     this httpClient   MySSLSocketFactory getNewHttpClient     This will work with all certificates  for testing purposes only      The  MySSLSocketFactory  above is based on the accepted answer  To make it even easier  here goes the complete class   package com netcomps oauth example   import java io IOException  import java net Socket  import java net UnknownHostException  import java security KeyManagementException  import java security KeyStore  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security UnrecoverableKeyException  import java security cert CertificateException  import java security cert X509Certificate   import javax net ssl SSLContext  import javax net ssl TrustManager  import javax net ssl X509TrustManager   import org apache http HttpVersion  import org apache http client HttpClient  import org apache http conn ClientConnectionManager  import org apache http conn scheme PlainSocketFactory  import org apache http conn scheme Scheme  import org apache http conn scheme SchemeRegistry  import org apache http conn ssl SSLSocketFactory  import org apache http impl client DefaultHttpClient  import org apache http impl conn tsccm ThreadSafeClientConnManager  import org apache http params BasicHttpParams  import org apache http params HttpParams  import org apache http params HttpProtocolParams  import org apache http protocol HTTP     http   stackoverflow com questions 2642777 trusting-all-certificates-using-httpclient-over-https public class MySSLSocketFactory extends SSLSocketFactory        SSLContext sslContext   SSLContext getInstance  TLS     public MySSLSocketFactory KeyStore truststore  throws NoSuchAlgorithmException  KeyManagementException  KeyStoreException  UnrecoverableKeyException        super truststore       TrustManager tm   new X509TrustManager               Override         public void checkClientTrusted X509Certificate   chain  String authType  throws CertificateException                       Override         public void checkServerTrusted X509Certificate   chain  String authType  throws CertificateException                       Override         public X509Certificate   getAcceptedIssuers                 return null                        sslContext init null  new TrustManager     tm    null       Override public Socket createSocket Socket socket  String host  int port  boolean autoClose  throws IOException  UnknownHostException       return sslContext getSocketFactory   createSocket socket  host  port  autoClose       Override public Socket createSocket   throws IOException       return sslContext getSocketFactory   createSocket         public static HttpClient getNewHttpClient          try           KeyStore trustStore   KeyStore getInstance KeyStore getDefaultType             trustStore load null  null            SSLSocketFactory sf   new MySSLSocketFactory trustStore           sf setHostnameVerifier SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER            HttpParams params   new BasicHttpParams            HttpProtocolParams setVersion params  HttpVersion HTTP 1 1           HttpProtocolParams setContentCharset params  HTTP UTF 8            SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  http   PlainSocketFactory getSocketFactory    80            registry register new Scheme  https   sf  443             ClientConnectionManager ccm   new ThreadSafeClientConnManager params  registry            return new DefaultHttpClient ccm  params          catch  Exception e            return new DefaultHttpClient                 Hope this helps someone

User · Answer

You basically have four potential solutions to fix a  Not Trusted  exception on Android using httpclient    Trust all certificates   Don t do this  unless you really know what you re doing  Create a custom SSLSocketFactory that trusts only your certificate   This works as long as you know exactly which servers you re going to connect to  but as soon as you need to connect to a new server with a different SSL certificate  you ll need to update your app  Create a keystore file that contains Android s  master list  of certificates  then add your own   If any of those certs expire down the road  you are responsible for updating them in your app   I can t think of a reason to do this  Create a custom SSLSocketFactory that uses the built-in certificate KeyStore  but falls back on an alternate KeyStore for anything that fails to verify with the default    This answer uses solution  4  which seems to me to be the most robust   The solution is to use an SSLSocketFactory that can accept multiple KeyStores  allowing you to supply your own KeyStore with your own certificates   This allows you to load additional top-level certificates such as Thawte that might be missing on some Android devices   It also allows you to load your own self-signed certificates as well   It will use the built-in default device certificates first  and fall back on your additional certificates only as necessary   First  you ll want to determine which cert you are missing in your KeyStore   Run the following command   openssl s client -connect www yourserver com 443   And you ll see output like the following   Certificate chain  0 s  O www yourserver com OU Go to     https   www thawte com repository index html OU Thawte SSL123     certificate OU Domain Validated CN www yourserver com    i  C US O Thawte  Inc  OU Domain Validated SSL CN Thawte DV SSL CA  1 s  C US O Thawte  Inc  OU Domain Validated SSL CN Thawte DV SSL CA    i  C US O thawte  Inc  OU Certification Services Division OU  c      2006 thawte  Inc  - For authorized use only CN thawte Primary Root CA   As you can see  our root certificate is from Thawte   Go to your provider s website and find the corresponding certificate   For us  it was here  and you can see that the one we needed was the one Copyright 2006   If you re using a self-signed certificate  you didn t need to do the previous step since you already have your signing certificate    Then  create a keystore file containing the missing signing certificate   Crazybob has details how to do this on Android  but the idea is to do the following   If you don t have it already  download the bouncy castle provider library from  http   www bouncycastle org latest releases html  This will go on your classpath below   Run a command to extract the certificate from the server and create a pem file  In this case  mycert pem   echo   openssl s client -connect   MY SERVER  443 2 gt  amp 1      sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p   gt  mycert pem   Then run the following commands to create the keystore   export CLASSPATH  path to bouncycastle bcprov-jdk15on-155 jar CERTSTORE res raw mystore bks if   -a  CERTSTORE    then     rm  CERTSTORE    exit 1 fi keytool         -import         -v         -trustcacerts         -alias 0         -file  lt  openssl x509 -in mycert pem          -keystore  CERTSTORE         -storetype BKS         -provider org bouncycastle jce provider BouncyCastleProvider         -providerpath  path to bouncycastle bcprov-jdk15on-155 jar         -storepass some-password   You ll notice that the above script places the result in res raw mystore bks   Now you have a file that you ll load into your Android app that provides the missing certificate s      To do this  register your SSLSocketFactory for the SSL scheme   final SchemeRegistry schemeRegistry   new SchemeRegistry    schemeRegistry register new Scheme  http   PlainSocketFactory getSocketFactory    80    schemeRegistry register new Scheme  https   createAdditionalCertsSSLSocketFactory    443        and then however you create your connection manager  I use ThreadSafeClientConnManager final HttpParams params   new BasicHttpParams        final ThreadSafeClientConnManager cm   new ThreadSafeClientConnManager params schemeRegistry     To create your SSLSocketFactory   protected org apache http conn ssl SSLSocketFactory createAdditionalCertsSSLSocketFactory         try           final KeyStore ks   KeyStore getInstance  BKS                the bks file we generated above         final InputStream in   context getResources   openRawResource  R raw mystore             try                  don t forget to put the password used above in strings xml mystore password             ks load in  context getString  R string mystore password   toCharArray               finally               in close                       return new AdditionalKeyStoresSSLSocketFactory ks          catch  Exception e             throw new RuntimeException e             And finally  the AdditionalKeyStoresSSLSocketFactory code  which accepts your new KeyStore and checks if the built-in KeyStore fails to validate an SSL certificate          Allows you to trust certificates from additional KeyStores in addition to    the default KeyStore     public class AdditionalKeyStoresSSLSocketFactory extends SSLSocketFactory       protected SSLContext sslContext   SSLContext getInstance  TLS         public AdditionalKeyStoresSSLSocketFactory KeyStore keyStore  throws NoSuchAlgorithmException  KeyManagementException  KeyStoreException  UnrecoverableKeyException           super null  null  null  null  null  null           sslContext init null  new TrustManager   new AdditionalKeyStoresTrustManager keyStore    null               Override     public Socket createSocket Socket socket  String host  int port  boolean autoClose  throws IOException           return sslContext getSocketFactory   createSocket socket  host  port  autoClose               Override     public Socket createSocket   throws IOException           return sslContext getSocketFactory   createSocket                            Based on http   download oracle com javase 1 5 0 docs guide security jsse JSSERefGuide html X509TrustManager             public static class AdditionalKeyStoresTrustManager implements X509TrustManager            protected ArrayList lt X509TrustManager gt  x509TrustManagers   new ArrayList lt X509TrustManager gt               protected AdditionalKeyStoresTrustManager KeyStore    additionalkeyStores                final ArrayList lt TrustManagerFactory gt  factories   new ArrayList lt TrustManagerFactory gt                  try                      The default Trustmanager with default keystore                 final TrustManagerFactory original   TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm                     original init  KeyStore  null                   factories add original                    for  KeyStore keyStore   additionalkeyStores                         final TrustManagerFactory additionalCerts   TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm                         additionalCerts init keyStore                       factories add additionalCerts                                    catch  Exception e                    throw new RuntimeException e                                                  Iterate over the returned trustmanagers  and hold on                to any that are X509TrustManagers                             for  TrustManagerFactory tmf   factories                  for  TrustManager tm   tmf getTrustManagers                         if  tm instanceof X509TrustManager                          x509TrustManagers add   X509TrustManager tm                  if  x509TrustManagers size    0                   throw new RuntimeException  Couldn t find any X509TrustManagers                                      Delegate to the default trust manager                      public void checkClientTrusted X509Certificate   chain  String authType  throws CertificateException               final X509TrustManager defaultX509TrustManager   x509TrustManagers get 0               defaultX509TrustManager checkClientTrusted chain  authType                                    Loop over the trustmanagers until we find one that accepts our server                     public void checkServerTrusted X509Certificate   chain  String authType  throws CertificateException               for  X509TrustManager tm   x509TrustManagers                     try                       tm checkServerTrusted chain authType                       return                    catch  CertificateException e                            ignore                                             throw new CertificateException                       public X509Certificate   getAcceptedIssuers                 final ArrayList lt X509Certificate gt  list   new ArrayList lt X509Certificate gt                 for  X509TrustManager tm   x509TrustManagers                   list addAll Arrays asList tm getAcceptedIssuers                  return list toArray new X509Certificate list size

User · Answer

Daniel s answer was good except I had to change this code         SchemeRegistry registry   new SchemeRegistry        registry register new Scheme  http   PlainSocketFactory getSocketFactory    80        registry register new Scheme  https   sf  443         ClientConnectionManager ccm   new ThreadSafeClientConnManager params  registry     to this code         ClientConnectionManager ccm   new ThreadSafeClientConnManager params  registry       SchemeRegistry registry   ccm getShemeRegistry       registry register new Scheme  http   PlainSocketFactory getSocketFactory    80        registry register new Scheme  https   sf  443      to get it to work

User · Answer

Add this code before the HttpsURLConnection and it will be done   I got it   private void trustEveryone          try                HttpsURLConnection setDefaultHostnameVerifier new HostnameVerifier                         public boolean verify String hostname  SSLSession session                                 return true                                         SSLContext context   SSLContext getInstance  TLS                 context init null  new X509TrustManager   new X509TrustManager                         public void checkClientTrusted X509Certificate   chain                                       String authType  throws CertificateException                         public void checkServerTrusted X509Certificate   chain                                       String authType  throws CertificateException                         public X509Certificate   getAcceptedIssuers                                  return new X509Certificate 0                             new SecureRandom                  HttpsURLConnection setDefaultSSLSocketFactory                               context getSocketFactory            catch  Exception e       should never happen              e printStackTrace                 I hope this helps you

User · Answer

Note  Do not implement this in production code you are ever going to use on a network you do not entirely trust  Especially anything going over the public internet    Your question is just what I want to know  After I did some searches  the conclusion is as follows   In HttpClient way  you should create a custom class from org apache http conn ssl SSLSocketFactory  not the one org apache http conn ssl SSLSocketFactory  itself  Some clues can be found in this post Custom SSL handling stopped working on Android 2 2 FroYo   An example is like       import java io IOException  import java net Socket  import java net UnknownHostException  import java security KeyManagementException  import java security KeyStore  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security UnrecoverableKeyException  import java security cert CertificateException  import java security cert X509Certificate   import javax net ssl SSLContext  import javax net ssl TrustManager  import javax net ssl X509TrustManager   import org apache http conn ssl SSLSocketFactory  public class MySSLSocketFactory extends SSLSocketFactory       SSLContext sslContext   SSLContext getInstance  TLS         public MySSLSocketFactory KeyStore truststore  throws NoSuchAlgorithmException  KeyManagementException  KeyStoreException  UnrecoverableKeyException           super truststore            TrustManager tm   new X509TrustManager                 public void checkClientTrusted X509Certificate   chain  String authType  throws CertificateException                              public void checkServerTrusted X509Certificate   chain  String authType  throws CertificateException                              public X509Certificate   getAcceptedIssuers                     return null                                    sslContext init null  new TrustManager     tm    null               Override     public Socket createSocket Socket socket  String host  int port  boolean autoClose  throws IOException  UnknownHostException           return sslContext getSocketFactory   createSocket socket  host  port  autoClose               Override     public Socket createSocket   throws IOException           return sslContext getSocketFactory   createSocket              and use this class while creating instance of HttpClient   public HttpClient getNewHttpClient         try           KeyStore trustStore   KeyStore getInstance KeyStore getDefaultType             trustStore load null  null            MySSLSocketFactory sf   new MySSLSocketFactory trustStore           sf setHostnameVerifier SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER            HttpParams params   new BasicHttpParams            HttpProtocolParams setVersion params  HttpVersion HTTP 1 1           HttpProtocolParams setContentCharset params  HTTP UTF 8            SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  http   PlainSocketFactory getSocketFactory    80            registry register new Scheme  https   sf  443             ClientConnectionManager ccm   new ThreadSafeClientConnManager params  registry            return new DefaultHttpClient ccm  params         catch  Exception e            return new DefaultHttpClient              BTW  the link below is for someone who is looking for HttpURLConnection solution  Https Connection Android  I have tested the above two kinds of solutions on froyo  and they all work like a charm in my cases  Finally  using HttpURLConnection may face the redirect problems  but this is beyond the topic   Note  Before you decide to trust all certificates  you probably should know the site full well and won t be harmful of it to end-user   Indeed  the risk you take should be considered carefully  including the effect of hacker s mock site mentioned in the following comments that I deeply appreciated  In some situation  although it might be hard to take care of all certificates  you d better know the implicit drawbacks to trust all of them

User · Answer

Here is a much simple version using 4 1 2 httpclient code   This can then be modified to any trust algorithm you see fit   public static HttpClient getTestHttpClient         try           SSLSocketFactory sf   new SSLSocketFactory new TrustStrategy                 Override             public boolean isTrusted X509Certificate   chain                      String authType  throws CertificateException                   return true                                    SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  https   443  sf            ClientConnectionManager ccm   new ThreadSafeClientConnManager registry           return new DefaultHttpClient ccm         catch  Exception e            return new DefaultHttpClient

User · Answer

Just adding -Dtrust all cert true to VM arguments should do  This argument tells java to ignore certificate checks

User · Answer

You can disable HttpURLConnection SSL checking for testing purposes this way since API 8       HttpURLConnection conn    HttpURLConnection  url openConnection        if  conn instanceof HttpsURLConnection            HttpsURLConnection httpsConn    HttpsURLConnection  conn          httpsConn setSSLSocketFactory SSLCertificateSocketFactory getInsecure 0  null            httpsConn setHostnameVerifier new AllowAllHostnameVerifier

User · Answer

The code above in https   stackoverflow com a 6378872 1553004 is correct  except it MUST also call the hostname verifier        Override public Socket createSocket Socket socket  String host  int port  boolean autoClose  throws IOException       SSLSocket sslSocket    SSLSocket sslContext getSocketFactory   createSocket socket  host  port  autoClose       getHostnameVerifier   verify host  sslSocket       return sslSocket      I signed up to stackoverflow expressly to add this fix   Heed my warning

User · Answer

Trusting all certificates was no real alternative for me  so I did the following to get HttpsURLConnection to trust a new certificate  see also http   nelenkov blogspot jp 2011 12 using-custom-certificate-trust-store-on html     Get the certificate  I got this done by exporting the certificate in Firefox  click on the little lock icon  get certificate details  click export   then used portecle to export a truststore  BKS   Load the Truststore from  res raw geotrust cert bks with the following code       final KeyStore trustStore   KeyStore getInstance  BKS        final InputStream in   context getResources   openRawResource              R raw geotrust cert       trustStore load in  null        final TrustManagerFactory tmf   TrustManagerFactory              getInstance TrustManagerFactory getDefaultAlgorithm         tmf init trustStore        final SSLContext sslCtx   SSLContext getInstance  TLS        sslCtx init null  tmf getTrustManagers                new java security SecureRandom          HttpsURLConnection setDefaultSSLSocketFactory sslCtx              getSocketFactory

User · Answer

Simply use this -   public DefaultHttpClient wrapClient HttpClient base        try           SSLContext ctx   SSLContext getInstance  TLS            X509TrustManager tm   new X509TrustManager             public void checkClientTrusted X509Certificate   xcs  String string  throws CertificateException              public void checkServerTrusted X509Certificate   xcs  String string  throws CertificateException              public X509Certificate   getAcceptedIssuers                 return null                       ctx init null  new TrustManager   tm   null       SSLSocketFactory ssf   new SSLSocketFactory ctx       ssf setHostnameVerifier SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER       ClientConnectionManager ccm   base getConnectionManager        SchemeRegistry sr   ccm getSchemeRegistry        sr register new Scheme  https   ssf  443        return new DefaultHttpClient ccm  base getParams       catch  Exception ex        return null

User · Answer

work with all https  httpClient   new DefaultHttpClient     SSLContext ctx   SSLContext getInstance  TLS    X509TrustManager tm   new X509TrustManager         public void checkClientTrusted X509Certificate   xcs  String string  throws CertificateException          public void checkServerTrusted X509Certificate   xcs  String string  throws CertificateException          public X509Certificate   getAcceptedIssuers             return null            ctx init null  new TrustManager   tm   null   SSLSocketFactory ssf   new SSLSocketFactory ctx  SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER    httpClient getConnectionManager   getSchemeRegistry   register new Scheme  https   443  ssf

User · Answer

I used this and It works for me on all OS          Disables the SSL certificate checking for new instances of   link HttpsURLConnection  This has been created to    aid testing on a local box  not for use on production        private static void disableSSLCertificateChecking         TrustManager   trustAllCerts   new TrustManager     new X509TrustManager             public X509Certificate   getAcceptedIssuers                 return null                      Override         public void checkClientTrusted X509Certificate   arg0  String arg1  throws CertificateException                  Not implemented                     Override         public void checkServerTrusted X509Certificate   arg0  String arg1  throws CertificateException                  Not implemented                         try           SSLContext sc   SSLContext getInstance  TLS             sc init null  trustAllCerts  new java security SecureRandom              HttpsURLConnection setDefaultSSLSocketFactory sc getSocketFactory           catch  KeyManagementException e            e printStackTrace          catch  NoSuchAlgorithmException e            e printStackTrace

User · Answer

I m adding a response for those that use the httpclient-4 5  and probably works for 4 4 as well   import java security cert CertificateException  import java security cert X509Certificate   import org apache http HttpResponse  import org apache http client HttpClient  import org apache http client HttpResponseException  import org apache http client fluent ContentResponseHandler  import org apache http client methods HttpPost  import org apache http conn ssl NoopHostnameVerifier  import org apache http conn ssl SSLConnectionSocketFactory  import org apache http conn ssl TrustStrategy  import org apache http impl client CloseableHttpClient  import org apache http impl client HttpClients  import org apache http ssl SSLContextBuilder     public class HttpClientUtils   public static HttpClient getHttpClientWithoutSslValidation UsingHttpClient 4 5 2         try           SSLContextBuilder builder   new SSLContextBuilder            builder loadTrustMaterial null  new TrustStrategy                  Override             public boolean isTrusted X509Certificate   chain  String authType  throws CertificateException                   return true                                    SSLConnectionSocketFactory sslsf   new SSLConnectionSocketFactory builder build    new NoopHostnameVerifier             CloseableHttpClient httpclient   HttpClients custom   setSSLSocketFactory sslsf  build             return httpclient        catch  Exception e            throw new RuntimeException e

User · Answer

I m looked response from  emmby   answered Jun 16  11 at 21 29   item  4   Create a custom SSLSocketFactory that uses the built-in certificate KeyStore  but falls back on an alternate KeyStore for anything that fails to verify with the default    This is a simplified implementation  Load the system keystore  amp  merge with application keystore   public HttpClient getNewHttpClient         try           InputStream in   null             Load default system keystore         KeyStore trusted   KeyStore getInstance KeyStore getDefaultType              try               in   new BufferedInputStream new FileInputStream System getProperty  javax net ssl trustStore         Normally    system etc security cacerts bks              trusted load in  null      no password is  changeit            finally               if  in    null                    in close                    in   null                                      Load application keystore  amp  merge with system         try               KeyStore appTrusted   KeyStore getInstance  BKS                 in   context getResources   openRawResource R raw mykeystore               appTrusted load in  null      no password is  changeit              for  Enumeration lt String gt  e   appTrusted aliases    e hasMoreElements                       final String alias   e nextElement                    final KeyStore Entry entry   appTrusted getEntry alias  null                   trusted setEntry System currentTimeMillis           alias  entry  null                           finally               if  in    null                    in close                    in   null                                   HttpParams params   new BasicHttpParams            HttpProtocolParams setVersion params  HttpVersion HTTP 1 1           HttpProtocolParams setContentCharset params  HTTP UTF 8            SSLSocketFactory sf   new SSLSocketFactory trusted           sf setHostnameVerifier SSLSocketFactory BROWSER COMPATIBLE HOSTNAME VERIFIER            SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  http   PlainSocketFactory getSocketFactory    80            registry register new Scheme  https   sf  443             ClientConnectionManager ccm   new ThreadSafeClientConnManager params  registry            return new DefaultHttpClient ccm  params         catch  Exception e            return new DefaultHttpClient              A simple mode to convert from JKS to BKS   keytool -importkeystore -destkeystore cacerts bks -deststoretype BKS -providerclass org bouncycastle jce provider BouncyCastleProvider -providerpath bcprov-jdk16-141 jar -deststorepass changeit -srcstorepass changeit -srckeystore  JAVA HOME jre lib security cacerts -srcstoretype JKS -noprompt    Note  In Android 4 0  ICS  the Trust Store has changed  more info  http   nelenkov blogspot com es 2011 12 ics-trust-store-implementation html

User · Answer

Any body still struggling with StartCom SSL Certificates on Android 2 1 visit https   www startssl com certs  and download the ca pem  now in the answer provided by  emmby replace    export CLASSPATH bcprov-jdk16-145 jar  CERTSTORE res raw mystore bks       if   -a  CERTSTORE    then           rm  CERTSTORE    exit 1       fi  keytool     -import     -v     -trustcacerts     -alias 0     -file  lt  openssl x509 -in mycert pem      -keystore  CERTSTORE     -storetype BKS     -provider org bouncycastle jce provider BouncyCastleProvider     -providerpath  usr share java bcprov jar     -storepass some-password    with     export CLASSPATH bcprov-jdk16-145 jar  CERTSTORE res raw mystore bks       if   -a  CERTSTORE    then           rm  CERTSTORE    exit 1       fi  keytool     -import     -v     -trustcacerts     -alias 0     -file  lt  openssl x509 -in ca pem      -keystore  CERTSTORE     -storetype BKS     -provider org bouncycastle jce provider BouncyCastleProvider     -providerpath  usr share java bcprov jar     -storepass some-password    Should work out of the box  I was struggling it for over a day even after a perfect answer by  emmby   Hope this helps someone

User · Answer

There a many answers above but I wasn t able to get any of them working correctly  with my limited time   so for anyone else in the same situation you can try the code below which worked perfectly for my java testing purposes       public static HttpClient wrapClient HttpClient base        try           SSLContext ctx   SSLContext getInstance  TLS            X509TrustManager tm   new X509TrustManager                 public void checkClientTrusted X509Certificate   xcs  String string  throws CertificateException                  public void checkServerTrusted X509Certificate   xcs  String string  throws CertificateException                  public X509Certificate   getAcceptedIssuers                     return null                                   ctx init null  new TrustManager   tm   null           SSLSocketFactory ssf   new SSLSocketFactory ctx           ssf setHostnameVerifier SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER           ClientConnectionManager ccm   base getConnectionManager            SchemeRegistry sr   ccm getSchemeRegistry            sr register new Scheme  https   ssf  443            return new DefaultHttpClient ccm  base getParams           catch  Exception ex            return null            and call like   DefaultHttpClient baseClient   new DefaultHttpClient    HttpClient httpClient   wrapClient baseClient      Reference  http   tech chitgoks com 2011 04 24 how-to-avoid-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated-problem-using-apache-httpclient

User · Answer

use this class  public class WCFs           https   192 168 30 8 myservice svc wsdl private static final String NAMESPACE    http   tempuri org    private static final String URL    192 168 30 8   private static final String SERVICE     myservice svc wsdl   private static String SOAP ACTION    http   tempuri org iWCFserviceMe      public static Thread myMethod Runnable rp        String METHOD NAME    myMethod        SoapObject request   new SoapObject NAMESPACE  METHOD NAME        request addProperty  Message    Https WCF Running           return  call rp METHOD NAME  request      protected static HandlerThread  call final RunProcess rp final String METHOD NAME  SoapObject soapReq        final SoapSerializationEnvelope envelope   new SoapSerializationEnvelope SoapEnvelope VER11       int TimeOut   5 1000       envelope dotNet   true      envelope bodyOut   soapReq      envelope setOutputSoapObject soapReq        final HttpsTransportSE httpTransport net   new HttpsTransportSE URL  443  SERVICE  TimeOut        try               HttpsURLConnection setDefaultHostnameVerifier new HostnameVerifier      use this section if crt file is handmake                        Override             public boolean verify String hostname  SSLSession session                                return true                                     KeyStore k   getFromRaw R raw key   PKCS12    password              HttpsServiceConnectionSE  httpTransport net getServiceConnection    setSSLSocketFactory getSSLSocketFactory k   SSL                 catch Exception e         HandlerThread thread   new HandlerThread  wcfTd   Generator getRandomNumber                   Override         public void run                         Handler h   new Handler Looper getMainLooper                 Object response   null               for int i 0  i lt 4  i                                  response   send envelope  httpTransport net   METHOD NAME  null                    try                  if Thread currentThread   isInterrupted    return  catch Exception e                     if response    null                      break                   ThreadHelper threadSleep 250                              if response    null                                if rp    null                                        rp setArguments response toString                         h post rp                                               else                               if Thread currentThread   isInterrupted                        return                   if rp    null                                        rp setExceptionState true                       h post rp                                                ThreadHelper stopThread this                         thread start         return thread      private static Object send SoapSerializationEnvelope envelope  HttpTransportSE androidHttpTransport  String METHOD NAME  List lt HeaderProperty gt  headerList        try               if headerList    null              androidHttpTransport call SOAP ACTION   METHOD NAME  envelope  headerList           else             androidHttpTransport call SOAP ACTION   METHOD NAME  envelope            Object res   envelope getResponse             if res instanceof SoapPrimitive              return  SoapPrimitive  envelope getResponse            else if res instanceof SoapObject              return   SoapObject  envelope getResponse               catch Exception e              return null     public static KeyStore getFromRaw  RawRes int id  String algorithm  String filePassword        try               InputStream inputStream   ResourceMaster openRaw id           KeyStore keystore   KeyStore getInstance algorithm           keystore load inputStream  filePassword toCharArray             inputStream close             return keystore            catch Exception e              return null     public static SSLSocketFactory getSSLSocketFactory KeyStore trustKey  String SSLAlgorithm        try               TrustManagerFactory tmf   TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm             tmf init trustKey            SSLContext context   SSLContext getInstance SSLAlgorithm     SSL   TLS          context init null  tmf getTrustManagers    null            return context getSocketFactory              catch Exception e         return null

User · Answer

The API of HttpComponents has got changed  It works with the code below   public static HttpClient getTestHttpClient         try           SSLSocketFactory sf   new SSLSocketFactory new TrustStrategy                 Override             public boolean isTrusted X509Certificate   chain                      String authType  throws CertificateException                   return true                           new AllowAllHostnameVerifier              SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  https  8444  sf            ClientConnectionManager ccm   new ThreadSafeClientConnManager registry           return new DefaultHttpClient ccm         catch  Exception e            e printStackTrace            return new DefaultHttpClient

[java] Trusting all certificates using HttpClient over HTTPS

Examples related to java

Examples related to ssl

Examples related to https

Examples related to certificate

Examples related to apache-httpclient-4.x