Hello,
just stumbled across a problem with the
org.apache.http.conn.ssl.TrustSelfSignedStrategy.isTrusted(
final X509Certificate[] chain, final String authType)
4.4.1 implementation
public boolean isTrusted(
final X509Certificate[] chain, final String authType) throws
CertificateException {
return chain.length == 1;
}
Problem was that my client code was communicating with a server which had a
CA signed certificate. The chain length was not equal 1 so isTrusted
returned false;
Even though the javadoc specifically says :
A trust strategy that accepts self-signed certificates as trusted.
Verification of all other
* certificates is done by the trust manager configured in the SSL context.
Most of the examples found on the Internet use TrustSelfSignedStrategy . I
think people use that one to trust any certificate, signed or not, even if
that would pose a security issue.
Do you think it might be appropriate to change the method isTrusted so that
it returns true in any case?
Perhaps it would be better, for convenience purpose, to add a new
implementation named, TrustAnyStrategy in the same way NoopHostnameVerifier
can be used to disable hostname verification.
Just a suggestion,
thanks for you all,
David
