Bruno Harbulot wrote:
>
> Hi Rocky,
>
> Rocky V wrote:
>> I am on Restlet 1.1.5 and can upgrade to 1.1.8 (last known stable version
>> from restlet.org) if need arises.
>> My problem is to trust all certificates for my Restlet client using HTTPS
>> (apache common).
>
> Am I right in understanding that you want your client to trust any
> server certificate it encounters, without prompting the user?
> If so, do you realise that this makes your connection prone to
> man-in-the-middle attacks, therefore making using SSL a bit pointless?
>
> Thanks a lot for your response, Bruno.
>
> Yes, my requirement is to trust all Server certificates and save the
> hassle of my Restlet client (using Apache commons as implementation of
> Client interface exposed by Restlet)
> try to figure out authenticity of certificate like in the Link I pasted
> above.
> I realize this is not the correct way to do it but for test purpose it's
> really useful.
> I have seen some other post between you and some one else mentioning that
> it is too much of overhead
> of putting the right SSL certificate in test environment and it should be
> avoided.
> And moreover, since we are testing
> in a sort of VPN environment not exposed to external world, for my
> purpose, I presume we are safe.
>
> This is what I want to do:
> <snip>
>
> Client client = new Client(new
> Context(),Protocol.valueOf(protocol));
> if (protocol.equalsIgnoreCase("https")) {
> // Set SSLContextFactory or something and ignore SSL
> certificates
> }
> Response response = client.handle(request);
>
> </snip>
>
> If I don't import certificates using keytool, then I would encounter
> following exceptions:
>
> com.noelios.restlet.ext.httpclient.HttpMethodCall sendRequest
> WARNING: An error occurred during the communication with the remote HTTP
> server.
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> ....
> .......
>
>
> Reason for avoiding the option of not importing certificates is:
> We have multiple test beds (hosts) as we call it and we may run our tests
> against any of these test beds so it basically means, import certificates
> for all these test beds and again if we introduce a new test bed this code
> can break-
> Once we are close to finalizing one single environment, we can import one
> certificate for that
> host and then this is not a issue but for now importing these certificates
> is pain and I want to avoid manual step. Since, I am in automation team,
> our goal is to have max automation.
>
>
> (Note that the security logic for trusting any server certificate is
> very different to that for trusting any client certificate. Verification
> of the server certificate is essential.)
>
>
>> I saw this thread suggesting setting SSLContextFactory but this method is
>> only available for Restlet 2.x versions which I can't upgrade to since it
>> is
>> snapshot and my organization won't permit to upgrade to unstable
>> (supposedly) versions.
>>
>> Can you please suggest probably through snippet of code
>> how can I trust all certificates like this in Restlet client:
>> http://exampledepot.com/egs/javax.net.ssl/TrustAll.html
>>
>
> You might want to have a look at this, as a workaround using the Apache
> HTTP client connector, for Restlet 1.
> http://restlet.tigris.org/issues/show_bug.cgi?id=586#desc4
>
>
> Do you mean to say, I can use something like this:
> secureProtocolSocketFactory = new
> SslContextedSecureProtocolSocketFactory(...);
> org.apache.commons.httpclient.protocol.Protocol
> .registerProtocol(
> "https", new org.apache.commons.httpclient.protocol.Protocol(
> "https", (ProtocolSocketFactory)secureProtocolSocketFactory,
> 443));
>
>
> where:
>
> secureProtocolSocketFactory = getCustomSocketFactoryForTrustAll();
> (To trust all server certificates for my requirement)
>
> private SSLSocketFactory getCustomSocketFactoryForTrustAll() {
> SSLContext sc = null;
> // Create a trust manager that does not validate certificate
> chains
> TrustManager[] trustAllCerts = new TrustManager[]{
> new X509TrustManager() {
> public java.security.cert.X509Certificate[]
> getAcceptedIssuers()
> {
> return null;
> }
> public void checkClientTrusted(
> java.security.cert.X509Certificate[] certs, String
> authType)
> {
> }
> public void checkServerTrusted(
> java.security.cert.X509Certificate[] certs, String
> authType)
> {
> }
> }
> };
>
> // Install the all-trusting trust manager
> try {
> sc = SSLContext.getInstance("SSL");
> sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
>
> //HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> } catch (Exception e) {
> }
> return sc.getSocketFactory();
> }
>
> Do you think this is correct ?
>
>> I have been able to import the certificate in JVM using keytool and go
>> past
>> SSL exceptions but that is not a feasible option. This introduces a
>> manual
>> step and I have written Restlet client code to automate Rest webservice
>> testing. Also, we have multiple unsigned certificates due to multiple
>> hosts
>> in test environment.
>
> I guess what you're trying to do is OK in a test environment... if you
> make sure that code doesn't end up in production.
>
>
>
> For now, it has taken me almost 4 days to find this workaround.
> Unfortunately, I could not find
> any post for this. I am sure this can be very useful for lot of folks who
> would in first
> place like to test HTTPS and then get into nitty gritty of doing the right
> thing eventually.
>
> Best Regards,
> Rocky
>
>
>
> Best wishes,
>
> Bruno.
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446390
>
>
--
View this message in context:
http://n2.nabble.com/Restlet-client-connecting-to-server-with-self-signed-certificate-tp3715127p4550083.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2446498
