It's possible to configure PureTLS (which Tomcat supports) to support un-trusted certs.
"Jerry Birchler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I tried both the IBM and Sun packages. Unfortunately, neither handled > expired or untrusted certificates. In my case, I did not care one way or the > other whether or not the certificate was "trusted" or not. By virtue of > parsing or spidering a site, I was making a choice. Perhaps you have the > same situation? If so, then this will work for you. > > I found the attached source on the internet somewhere, and I was able to > successfully implement it in a core class to my html parsers and spiders. > Here is the snippet of code that is found in that core class. The class file > you will need follows the snippet. > > import com.sun.net.ssl.HttpsURLConnection; > // > // it's important to use the javax flavors of these packages, the com.sun > equivalents will not work > // > import javax.net.ssl.*; > import javax.net.ssl.SSLSocketFactory; > > // > // put this in you constructor... > // > > System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww > w.protocol"); > > // > // ..... whatever code you want > // > if ( blnSSL ) > { > try > { > java.security.Security.addProvider(new > com.sun.net.ssl.internal.ssl.Provider()); > X509TrustManager oTrustMngr = new EnlistaTrustManager(); > TrustManager oEnlistaTrustManagers[] = {oTrustMngr}; > SSLContext ctx = SSLContext.getInstance("SSL"); > ctx.init(null, oEnlistaTrustManagers, null); > SSLSocketFactory sslSocketFactory = ctx.getSocketFactory(); > HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory); > } > catch(Exception e) > { > e.printStackTrace(); > } > objUC = (HttpsURLConnection)objURL.openConnection(); > } > else > { > objUC = (HttpURLConnection)objURL.openConnection(); > } > > > // use your own packge. this is the class called by the snippet above. > > package com.efn.cmn.uihelper.urlscraper; > > import javax.net.ssl.X509TrustManager; > import java.security.cert.*; > > //EnlistaTrustManager implements X509TrustManager and you can have the > following code to accept ANY certificate. > > public class EnlistaTrustManager implements X509TrustManager > { > > EnlistaTrustManager() > { // constructor > // create/load keystore > // No need to load the keystore because it will be validated on demand. > } > > public void checkClientTrusted(X509Certificate chain[], String authType) > throws CertificateException > { > return; > } > > /** > * This function is called when receiving information from the server. > * Before accepting the info it checks that the certificates sent by the > server > * are valid according to this function. > * > * @throws CertificateException if the certificate does not meet this peer's > validation. > */ > public void checkServerTrusted(X509Certificate oaChain[], String > sAuthType) throws CertificateException > { > // special handling such as poping dialog boxes > > // Certificate is valid. > return; > } > > /** > * Returns the valid or accepted issuers. Currently this function returns > one empty > * certificate. The validation is done in checkServerTrusted function. > */ > > public X509Certificate[] getAcceptedIssuers() { > return new X509Certificate[0]; > } > > public boolean isServerTrusted(X509Certificate oaChain[], String > sAuthType) throws CertificateException > { > return true; > } > } > > -----Original Message----- > From: McClure, Timothy J(IndSys, GE Interlogix) > [mailto:[EMAIL PROTECTED] > Sent: Monday, September 08, 2003 10:01 AM > To: Tomcat Users List; McClure, Timothy J(IndSys, GE Interlogix) > Subject: Tomcat IBM JVM 1.4 and SSL truststores > > > I am trying to use client SSL sockets connections running underneath Tomcat > on AIX with IBM JVM 1.4. I set the 'algorithm' key word in the server.xml > file and this seems to work well for key store (server socket) connections. > However I cannot get the trust store side to work appropriately, I always > get an I/O exception on SunX509 algorithm. I notice in the code it appears > that the "SunX509" is hard coded to the TrustStoreManager. How do I get it > to use IbmX509? I set the trsutManagerType to IbmX509 through -D options > but this also did not work. > > Tim > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]