Can I create SSLSocketFactory without KeyStore?

Thu, 06 Mar 2008 22:48:41 -0800 

Dear all,

I want to use https connection to communicate between my own application's
server and client.

I just want the connection channel is secure.
So I think I don't check anything, and just allow HTTPS connected.

I create a HostnameVerifier which allows all check passed as following code.

----
private HostnameVerifier initSSL() {

        // Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[]{
        new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers()
{  return null;  }
            public void
checkClientTrusted(java.security.cert.X509Certificate[] certs, String
authType) {
                isClientTrusted(certs);
                return;
            }
            public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
                isServerTrusted(certs);
                return;
            }
            public boolean isServerTrusted(
java.security.cert.X509Certificate[] certs) { return true; }
            public boolean isClientTrusted(
java.security.cert.X509Certificate[] certs) { return true; }
        }
    };
    
    // Install the all-trusting trust manager
    try {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
 
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    } catch (Exception e) {
    }

    HostnameVerifier hv = new HostnameVerifier() {
        public boolean verify(String urlHostName, SSLSession session) {
return true; }
    };
        
    System.setProperty("java.protocol.handler.pkgs","javax.net.ssl");
    
    return hv;
}

----


So that I don't need to load a ".keystore" file within my application.
I use it (hv) with HttpsURLConnection and they worked well.

When I use HttpClient-4.0-Alpha3, the SSLSocketFactory need a KeyStore to
create.
And even if I use AllowAllHostnameVerifier, it still will check and fail on
HTTPS connection.

Code:
----
KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());


// I don't want the following code to load a ".keystore" file.
// FileInputStream instream = new FileInputStream(new File(".keystore")); 
// try {
//    trustStore.load(instream, "changeit".toCharArray());
// } finally {
//    instream.close();
// }

SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);

AllowAllHostnameVerifier hostnameVerifier = new AllowAllHostnameVerifier();
socketFactory.setHostnameVerifier(hostnameVerifier);
----


Can I create SSLSocketFactory without KeyStore?

Can I use the "check nothing HostnameVerifier" in HttpClient 4.0-Alpha3?

Any suggestion is appreciated.


Sincerely,
Micky



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to