Hi Rocky, Rocky V wrote: > I am on Restlet 1.1.5 and can upgrade to 1.1.8 (last known stable version > from restlet.org) if need arises. > My problem is to trust all certificates for my Restlet client using HTTPS > (apache common).
Am I right in understanding that you want your client to trust any server certificate it encounters, without prompting the user? If so, do you realise that this makes your connection prone to man-in-the-middle attacks, therefore making using SSL a bit pointless? (Note that the security logic for trusting any server certificate is very different to that for trusting any client certificate. Verification of the server certificate is essential.) > I saw this thread suggesting setting SSLContextFactory but this method is > only available for Restlet 2.x versions which I can't upgrade to since it is > snapshot and my organization won't permit to upgrade to unstable > (supposedly) versions. > > Can you please suggest probably through snippet of code > how can I trust all certificates like this in Restlet client: > http://exampledepot.com/egs/javax.net.ssl/TrustAll.html > You might want to have a look at this, as a workaround using the Apache HTTP client connector, for Restlet 1. http://restlet.tigris.org/issues/show_bug.cgi?id=586#desc4 > I have been able to import the certificate in JVM using keytool and go past > SSL exceptions but that is not a feasible option. This introduces a manual > step and I have written Restlet client code to automate Rest webservice > testing. Also, we have multiple unsigned certificates due to multiple hosts > in test environment. I guess what you're trying to do is OK in a test environment... if you make sure that code doesn't end up in production. Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446390
