How to handle invalid SSL certificates with Apache HttpClient

Question

I know  there are many different questions and so many answers about this problem    But I can t understand     I have  ubuntu-9 10-desktop-amd64   NetBeans6 7 1 installed  as is  from off  rep  I need connecting to some site over the HTTPS  For this I use Apache s HttpClient   From tutorial I read    Once you have JSSE correctly installed  secure HTTP communication over SSL should be as  simple as plain HTTP communication   And some example   HttpClient httpclient   new HttpClient    GetMethod httpget   new GetMethod  https   www verisign com      try      httpclient executeMethod httpget     System out println httpget getStatusLine       finally     httpget releaseConnection        By now  I write this   HttpClient client   new HttpClient     HttpMethod get   new GetMethod  https   mms nw ru      get setDoAuthentication true    try       int status   client executeMethod get       System out println status        BufferedInputStream is   new BufferedInputStream get getResponseBodyAsStream         int r 0 byte   buf   new byte 10       while  r   is read buf    gt  0            System out write buf 0 r            catch Exception ex        ex printStackTrace        As a result I have a set of errors   javax net ssl SSLHandshakeException  sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target         at sun security ssl Alerts getSSLException Alerts java 192          at sun security ssl SSLSocketImpl fatal SSLSocketImpl java 1627          at sun security ssl Handshaker fatalSE Handshaker java 204          at sun security ssl Handshaker fatalSE Handshaker java 198          at sun security ssl ClientHandshaker serverCertificate ClientHandshaker java 994          at sun security ssl ClientHandshaker processMessage ClientHandshaker java 142          at sun security ssl Handshaker processLoop Handshaker java 533          at sun security ssl Handshaker process record Handshaker java 471          at sun security ssl SSLSocketImpl readRecord SSLSocketImpl java 904          at sun security ssl SSLSocketImpl performInitialHandshake SSLSocketImpl java 1132          at sun security ssl SSLSocketImpl writeRecord SSLSocketImpl java 643          at sun security ssl AppOutputStream write AppOutputStream java 78          at java io BufferedOutputStream flushBuffer BufferedOutputStream java 82          at java io BufferedOutputStream flush BufferedOutputStream java 140          at org apache commons httpclient HttpConnection flushRequestOutputStream HttpConnection java 828          at org apache commons httpclient HttpMethodBase writeRequest HttpMethodBase java 2116          at org apache commons httpclient HttpMethodBase execute HttpMethodBase java 1096          at org apache commons httpclient HttpMethodDirector executeWithRetry HttpMethodDirector java 398          at org apache commons httpclient HttpMethodDirector executeMethod HttpMethodDirector java 171          at org apache commons httpclient HttpClient executeMethod HttpClient java 397          at org apache commons httpclient HttpClient executeMethod HttpClient java 323          at simpleapachehttp Main main Main java 41  Caused by  sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target         at sun security validator PKIXValidator doBuild PKIXValidator java 302          at sun security validator PKIXValidator engineValidate PKIXValidator java 205          at sun security validator Validator validate Validator java 235          at sun security ssl X509TrustManagerImpl validate X509TrustManagerImpl java 147          at sun security ssl X509TrustManagerImpl checkServerTrusted X509TrustManagerImpl java 230          at sun security ssl X509TrustManagerImpl checkServerTrusted X509TrustManagerImpl java 270          at sun security ssl ClientHandshaker serverCertificate ClientHandshaker java 973              17 more Caused by  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target         at sun security provider certpath SunCertPathBuilder engineBuild SunCertPathBuilder java 191          at java security cert CertPathBuilder build CertPathBuilder java 255          at sun security validator PKIXValidator doBuild PKIXValidator java 297              23 more   What have I to do to create simplest SSL connection   Probably without KeyManager and Trust manager etc  while

User · Answer

EasySSLProtocolSocketFactory was giving me problems so I ended up implementing my own ProtocolSocketFactory.

First you need to register it:

Protocol.registerProtocol("https", new Protocol("https", new TrustAllSSLSocketFactory(), 443));

HttpClient client = new HttpClient();
...

Then implement ProtocolSocketFactory:

class TrustAllSSLSocketFactory implements ProtocolSocketFactory {

    public static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[]{
        new X509TrustManager() {
            public void checkClientTrusted(final X509Certificate[] certs, final String authType) {

            }

            public void checkServerTrusted(final X509Certificate[] certs, final String authType) {

            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        }
    };

    private TrustManager[] getTrustManager() {
        return TRUST_ALL_CERTS;
    }

    public Socket createSocket(final String host, final int port, final InetAddress clientHost,
                               final int clientPort) throws IOException {
        return getSocketFactory().createSocket(host, port, clientHost, clientPort);
    }

    @Override
    public Socket createSocket(final String host, final int port, final InetAddress localAddress,
                               final int localPort, final HttpConnectionParams params) throws IOException {
        return createSocket(host, port);
    }

    public Socket createSocket(final String host, final int port) throws IOException {
        return getSocketFactory().createSocket(host, port);
    }

    private SocketFactory getSocketFactory() throws UnknownHostException {
        TrustManager[] trustAllCerts = getTrustManager();

        try {
            SSLContext context = SSLContext.getInstance("SSL");
            context.init(null, trustAllCerts, new SecureRandom());

            final SSLSocketFactory socketFactory = context.getSocketFactory();
            HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
            return socketFactory;
        } catch (NoSuchAlgorithmException | KeyManagementException exception) {
            throw new UnknownHostException(exception.getMessage());
        }
    }
}

Note: This is with HttpClient 3.1 and Java 8

User · Answer

https   mms nw ru uses a self-signed certificate that s not in the default trust manager set  To resolve the issue  do one of the following   Configure SSLContext with a TrustManager that accepts any certificate  see below   Configure SSLContext with an appropriate trust store that includes your certificate  Add the certificate for that site to the default Java trust store   Here s a program that creates a  mostly worthless  SSL Context that accepts any certificate  import java net URL  import java security SecureRandom  import java security cert CertificateException  import java security cert X509Certificate  import javax net ssl HostnameVerifier  import javax net ssl HttpsURLConnection  import javax net ssl KeyManager  import javax net ssl SSLContext  import javax net ssl SSLSession  import javax net ssl TrustManager  import javax net ssl X509TrustManager   public class SSLTest            public static void main String    args  throws Exception              configure the SSLContext with a TrustManager         SSLContext ctx   SSLContext getInstance  quot TLS quot            ctx init new KeyManager 0   new TrustManager    new DefaultTrustManager     new SecureRandom             SSLContext setDefault ctx            URL url   new URL  quot https   mms nw ru quot            HttpsURLConnection conn    HttpsURLConnection  url openConnection            conn setHostnameVerifier new HostnameVerifier                  Override             public boolean verify String arg0  SSLSession arg1                    return true                                    System out println conn getResponseCode             conn disconnect                   private static class DefaultTrustManager implements X509TrustManager             Override         public void checkClientTrusted X509Certificate   arg0  String arg1  throws CertificateException              Override         public void checkServerTrusted X509Certificate   arg0  String arg1  throws CertificateException              Override         public X509Certificate   getAcceptedIssuers                 return null

User · Answer

For HttpClient  we can do this    SSLContext ctx   SSLContext getInstance  TLS            ctx init new KeyManager 0   new TrustManager    new DefaultTrustManager     new SecureRandom             SSLContext setDefault ctx            String uri   new StringBuilder  url   toString             HostnameVerifier hostnameVerifier   new HostnameVerifier                  Override             public boolean verify String arg0  SSLSession arg1                    return true                                    HttpClient client   HttpClientBuilder create   setSSLContext ctx                   setSSLHostnameVerifier hostnameVerifier  build

User · Answer

I happened to face the same issue  all of a sudden all my imports were missing  I tried deleting all the contents in my  m2 folder  And trying to re-import everything   but still nothing worked  Finally what I did was opened the website for which the IDE was complaining that it couldn t download in my browser  And saw the certificate it was using  and saw in my     keytool -v -list  PATH TO JAVA KEYSTORE   Path to my keystore was  Library Java JavaVirtualMachines jdk1 8 0 171 jdk Contents Home jre lib security cacerts  that particular certificate was not there   So all you have to do is put the certificate into the JAVA JVM keystore again  It can be done using the below command     keytool -import -alias ANY NAME YOU WANT TO GIVE -file PATH TO YOUR CERTIFICATE -keystore PATH OF JAVA KEYSTORE   If it asks for password  try the default password  changeit  If you get permission error when running the above command  In windows open it in administration mode  In mac and unix use sudo   After you have successfully added the key  You can view it using      keytool -v -list   Library Java JavaVirtualMachines jdk1 8 0 171 jdk Contents Home jre lib security cacerts    You can view just the SHA-1 using teh command    keytool -list   Library Java JavaVirtualMachines jdk1 8 0 171 jdk Contents Home jre lib security cacerts

User · Answer

follow the instruction given below for Java 1 7  to create an SSL certificate using InstallCert java program file   https   github com escline InstallCert  you must restart the tomcat

User · Answer

Using the InstallCert to generate the jssecacerts file and do  -Djavax net ssl trustStore  path to jssecacerts worked great

User · Answer

Once you have a Java Cert Store  by using the great InstallCert class created above   you can get java to use it by passing the  javax net ssl trustStore  param at java startup     Ex   java -Djavax net ssl trustStore  path to jssecacerts MyClassName

User · Answer

I m useing httpclient 3 1 X  and this works for me           try           SSLContext sslContext   SSLContext getInstance  TLS            TrustManager trustManager   new X509TrustManager                  Override             public void checkClientTrusted X509Certificate   x509Certificates  String s  throws CertificateException                               Override             public void checkServerTrusted X509Certificate   x509Certificates  String s  throws CertificateException                                Override             public X509Certificate   getAcceptedIssuers                     return null                                   sslContext init null  new TrustManager   trustManager   null           SslContextSecureProtocolSocketFactory socketFactory   new SslContextSecureProtocolSocketFactory sslContext false           Protocol registerProtocol  https   new Protocol  https    ProtocolSocketFactory  socketFactory  443           HttpUtils       catch  Throwable e            e printStackTrace                 public class SslContextSecureProtocolSocketFactory implements      SecureProtocolSocketFactory    private SSLContext sslContext  private boolean verifyHostname   public SslContextSecureProtocolSocketFactory SSLContext sslContext  boolean verifyHostname        this verifyHostname   true      this sslContext   sslContext      this verifyHostname   verifyHostname     public SslContextSecureProtocolSocketFactory SSLContext sslContext        this sslContext  true      public SslContextSecureProtocolSocketFactory boolean verifyHostname        this  SSLContext null  verifyHostname      public SslContextSecureProtocolSocketFactory         this  SSLContext null  true      public synchronized void setHostnameVerification boolean verifyHostname        this verifyHostname   verifyHostname     public synchronized boolean getHostnameVerification         return this verifyHostname     public Socket createSocket String host  int port  InetAddress clientHost  int clientPort  throws IOException  UnknownHostException       SSLSocketFactory sf   this getSslSocketFactory        SSLSocket sslSocket    SSLSocket sf createSocket host  port  clientHost  clientPort       this verifyHostname sslSocket       return sslSocket     public Socket createSocket String host  int port  InetAddress localAddress  int localPort  HttpConnectionParams params  throws IOException  UnknownHostException  ConnectTimeoutException       if params    null            throw new IllegalArgumentException  Parameters may not be null          else           int timeout   params getConnectionTimeout            Socket socket   null          SSLSocketFactory socketfactory   this getSslSocketFactory            if timeout    0                socket   socketfactory createSocket host  port  localAddress  localPort             else               socket   socketfactory createSocket                InetSocketAddress localaddr   new InetSocketAddress localAddress  localPort               InetSocketAddress remoteaddr   new InetSocketAddress host  port               socket bind localaddr               socket connect remoteaddr  timeout                      this verifyHostname  SSLSocket socket           return socket           public Socket createSocket String host  int port  throws IOException  UnknownHostException       SSLSocketFactory sf   this getSslSocketFactory        SSLSocket sslSocket    SSLSocket sf createSocket host  port       this verifyHostname sslSocket       return sslSocket     public Socket createSocket Socket socket  String host  int port  boolean autoClose  throws IOException  UnknownHostException       SSLSocketFactory sf   this getSslSocketFactory        SSLSocket sslSocket    SSLSocket sf createSocket socket  host  port  autoClose       this verifyHostname sslSocket       return sslSocket     private void verifyHostname SSLSocket socket  throws SSLPeerUnverifiedException  UnknownHostException       synchronized this            if  this verifyHostname                return                       SSLSession session   socket getSession        String hostname   session getPeerHost         try           InetAddress getByName hostname         catch  UnknownHostException var10            throw new UnknownHostException  Could not resolve SSL sessions server hostname      hostname              X509Certificate   certs    X509Certificate     X509Certificate   session getPeerCertificates         if certs    null  amp  amp  certs length    0            X500Principal subjectDN   certs 0  getSubjectX500Principal            List cns   this getCNs subjectDN           boolean foundHostName   false          Iterator i    cns iterator            AntPathMatcher matcher    new AntPathMatcher            while i  hasNext                  String cn    String i  next                if matcher match cn toLowerCase   hostname toLowerCase                       foundHostName   true                  break                                   if  foundHostName                throw new SSLPeerUnverifiedException  HTTPS hostname invalid  expected       hostname        received       cns                          else           throw new SSLPeerUnverifiedException  No server certificates found              private List lt String gt  getCNs X500Principal subjectDN        ArrayList cns   new ArrayList        StringTokenizer st   new StringTokenizer subjectDN getName               while st hasMoreTokens              String cnField   st nextToken            if cnField startsWith  CN                   cns add cnField substring 3                         return cns     protected SSLSocketFactory getSslSocketFactory         SSLSocketFactory sslSocketFactory   null      synchronized this            if this sslContext    null                sslSocketFactory   this sslContext getSocketFactory                         if sslSocketFactory    null            sslSocketFactory    SSLSocketFactory SSLSocketFactory getDefault               return sslSocketFactory     public synchronized void setSSLContext SSLContext sslContext        this sslContext   sslContext

User · Answer

https   mms nw ru likely uses a certificate not issued by a certification authority  Consequently  you need to add the certificate to your trusted Java key store as explained in unable to find valid certification path to requested target      When working on a client that works   with an SSL enabled server running in   https protocol  you could get error    unable to find valid certification   path to requested target  if the   server certificate is not issued by   certification authority  but a self   signed or issued by a private CMS       Don t panic  All you need to do is to   add the server certificate to your   trusted Java key store if your client   is written in Java  You might be   wondering how as if you can not access   the machine where the server is   installed  There is a simple program   can help you  Please download the Java   program and run    java InstallCert  web site hostname        This program opened a connection to   the specified host and started an SSL   handshake  It printed the exception   stack trace of the error that occured   and shows you the certificates used by   the server  Now it prompts you add the   certificate to your trusted KeyStore       If you ve changed your mind  enter    q   If you really want to add the   certificate  enter  1   or other   numbers to add other certificates    even a CA certificate  but you usually   don t want to do that  Once you have   made your choice  the program will   display the complete certificate and   then added it to a Java KeyStore named    jssecacerts  in the current   directory       To use it in your program  either   configure JSSE to use it as its trust   store or copy it into your    JAVA HOME jre lib security directory    If you want all Java applications to   recognize the certificate as trusted   and not just JSSE  you could also   overwrite the cacerts file in that   directory       After all that  JSSE will be able to   complete a handshake with the host    which you can verify by running the   program again       To get more details  you can check out   Leeland s blog No more  unable to find   valid certification path to requested   target

User · Answer

Another issue you may run into with self signed test certs is this   java io IOException  HTTPS hostname wrong  should be      This error occurs when you are trying to access a HTTPS url  You might have already installed the server certificate to your JRE s keystore  But this error means that the name of the server certificate does not match with the actual domain name of the server that is mentioned in the URL  This normally happens when you are using a non CA issued certificate   This example shows how to write a HttpsURLConnection DefaultHostnameVerifier that ignore the certificates server name   http   www java-samples com showtutorial php tutorialid 211

User · Answer

For a way to easily add hosts you trust at runtime without throwing out all checks  try the code here  http   code google com p self-signed-cert-trust-manager

User · Answer

This link explains the requirement you have step by step  If You are not really concerned which certificate you can proceed with the process in below link    Note You might want to double check what you are doing since  this is a unsafe operation

User · Answer

want to paste the answer here   in Apache HttpClient 4 5 5  How to handle invalid SSL certificate with Apache client 4 5 5   HttpClient httpClient   HttpClients              custom                setSSLContext new SSLContextBuilder   loadTrustMaterial null  TrustAllStrategy INSTANCE  build                 setSSLHostnameVerifier NoopHostnameVerifier INSTANCE               build

User · Answer

From http   hc apache org httpclient-3 x sslguide html   Protocol registerProtocol  https    new Protocol  https   new MySSLSocketFactory    443    HttpClient httpclient   new HttpClient    GetMethod httpget   new GetMethod  https   www whatever com     try     httpclient executeMethod httpget         System out println httpget getStatusLine       finally         httpget releaseConnection        Where MySSLSocketFactory example can be found here  It references a TrustManager  which you can modify to trust everything  although you must consider this

User · Answer

For Apache HttpClient 4 5   amp  Java8   SSLContext sslContext   SSLContexts custom            loadTrustMaterial  chain  authType  - gt  true  build     SSLConnectionSocketFactory sslConnectionSocketFactory           new SSLConnectionSocketFactory sslContext  new String             SSLv2Hello    SSLv3    TLSv1   TLSv1 1    TLSv1 2     null          NoopHostnameVerifier INSTANCE   CloseableHttpClient client   HttpClients custom            setSSLSocketFactory sslConnectionSocketFactory           build      But if your HttpClient use a ConnectionManager for seeking connection  e g  like this    PoolingHttpClientConnectionManager connectionManager   new           PoolingHttpClientConnectionManager      CloseableHttpClient client   HttpClients custom                setConnectionManager connectionManager               build      The HttpClients custom   setSSLSocketFactory sslConnectionSocketFactory  has no effect  the problem is not resolved   Because that the HttpClient use the specified connectionManager for seeking connection and the specified connectionManager haven t register our customized SSLConnectionSocketFactory  To resolve this  should register the The customized SSLConnectionSocketFactory in the connectionManager  The correct code should like this   PoolingHttpClientConnectionManager connectionManager   new      PoolingHttpClientConnectionManager RegistryBuilder                   lt ConnectionSocketFactory gt create          register  http  PlainConnectionSocketFactory getSocketFactory           register  https   sslConnectionSocketFactory  build      CloseableHttpClient client   HttpClients custom                setConnectionManager connectionManager               build

User · Answer

The Apache HttpClient 4 5 way   org apache http ssl SSLContextBuilder sslContextBuilder   SSLContextBuilder create    sslContextBuilder loadTrustMaterial new org apache http conn ssl TrustSelfSignedStrategy     SSLContext sslContext   sslContextBuilder build    org apache http conn ssl SSLConnectionSocketFactory sslSocketFactory           new SSLConnectionSocketFactory sslContext  new org apache http conn ssl DefaultHostnameVerifier      HttpClientBuilder httpClientBuilder   HttpClients custom   setSSLSocketFactory sslSocketFactory   httpClient   httpClientBuilder build      NOTE  org apache http conn ssl SSLContextBuilder is deprecated and org apache http ssl SSLContextBuilder is the new one  notice conn missing from the latter s package name

User · Answer

Used the following along with DefaultTrustManager and it worked in httpclient like charm  Thanks a ton    Kevin and every other contributor      SSLContext ctx   null      SSLConnectionSocketFactory sslsf   null      try            ctx   SSLContext getInstance  TLS            ctx init new KeyManager 0   new TrustManager    new DefaultTrustManager     new SecureRandom             SSLContext setDefault ctx            sslsf   new SSLConnectionSocketFactory                  ctx                  new String      TLSv1                     null                  SSLConnectionSocketFactory getDefaultHostnameVerifier            catch  Exception e            e printStackTrace                CloseableHttpClient client   HttpClients custom                setSSLSocketFactory sslsf               build

User · Answer

In addition to Pascal Thivent s correct answer  another way is to save the certificate from Firefox  View Certificate -  Details -  export  or openssl s client and import it into the trust store   You should only do this if you have a way to verify that certificate  Failing that  do it the first time you connect  it will at least give you an error if the certificate changes unexpectedly on subsequent connections   To import it in a trust store  use   keytool -importcert -keystore truststore jks -file servercert pem   By default  the default trust store should be  JAVA HOME jre lib security cacerts and its password should be changeit  see JSSE Reference guide for details   If you don t want to allow that certificate globally  but only for these connections  it s possible to create an SSLContext for it   TrustManagerFactory tmf   TrustManagerFactory      getInstance TrustManagerFactory getDefaultAlgorithm     KeyStore ks   KeyStore getInstance  JKS    FileInputStream fis   new FileInputStream       truststore jks    ks load fis  null      or ks load fis   thepassword  toCharArray     fis close     tmf init ks    SSLContext sslContext   SSLContext getInstance  TLS    sslContext init null  tmf getTrustManagers    null     Then  you need to set it up for Apache HTTP Client 3 x by implementing one if its SecureProtocolSocketFactory to use this SSLContext   There are examples here    Apache HTTP Client 4 x  apart from the earliest version  has direct support for passing an SSLContext

[java] How to handle invalid SSL certificates with Apache HttpClient?

Examples related to java

Examples related to ssl

Examples related to https

Examples related to apache-commons-httpclient