Re: [C3] How to/where to disable certificate check accessing HTTPS
Hi Jos, I just try to do: map:generate src=https://asite.with.invalid.cert/some/resource/ And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember right throws an exception. Cert is invalid, so adding it trust store is questionable. I'd like to ignore the cert check at all, something like this: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html And it's a big question for me what would be a best way add this modification, preferably so I can switch cert check on and off for different resources. Andrei 10.09.2010 07:25, Jos Snellings пишет: Hi Andrej, Could you please provide a little bit more detail on what you want to accomplish? Is it that you need in your sitemap to forward some urls to a secure site? Cheers, Jos - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org - To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrei,
On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
Hi Jos,
I just try to do:
map:generate src=https://asite.with.invalid.cert/some/resource/
And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
right throws an exception.
Cert is invalid, so adding it trust store is questionable.
I'd like to ignore the cert check at all, something like this:
http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
And it's a big question for me what would be a best way add this
modification, preferably so I can switch cert check on and off for
different resources.
The code below will disable SSL checking for /all/ resources, and can
easily be put into a ServletContextListener in order to modify the SSL
cert checking behavior for a webapp at startup (that is, it's relatively
easy to just slap this into an existing Cocoon installation).
public static void disableSSLCertificateChecking()
throws NoSuchAlgorithmException, KeyManagementException
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance(SSL);
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
As I mentioned, this won't help with the resource-specific connections.
The code above could be adapted to work inside a generator in order to
exempt that single resource from SSL certificate checking. Maybe I'll
take a look at the Cocoon code and propose a patch if it's useful.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
s10Anj8vsvxh9/lzCQTmGimQOU925yhS
=kADE
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
Re: [C3] How to/where to disable certificate check accessing HTTPS
Thank you a lot, Christopher!
Me blind idiot - didn't mark
HttpsURLConnection.setDefaultSSLSocketFactory is static! :)
Very simple indeed - I implemented ServletContextListener and added it
*-block-deployment.xweb in my block.
One more thing was needed:
HostnameVerifier verifyEverything = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true; }
};
HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything );
This works for me now.
And yes, make this check switchable per resource would be very useful.
Thanks,
Andrei
10.09.2010 21:17, Christopher Schultz пишет:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrei,
On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
Hi Jos,
I just try to do:
map:generate src=https://asite.with.invalid.cert/some/resource/
And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
right throws an exception.
Cert is invalid, so adding it trust store is questionable.
I'd like to ignore the cert check at all, something like this:
http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
And it's a big question for me what would be a best way add this
modification, preferably so I can switch cert check on and off for
different resources.
The code below will disable SSL checking for /all/ resources, and can
easily be put into a ServletContextListener in order to modify the SSL
cert checking behavior for a webapp at startup (that is, it's relatively
easy to just slap this into an existing Cocoon installation).
public static void disableSSLCertificateChecking()
throws NoSuchAlgorithmException, KeyManagementException
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance(SSL);
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
As I mentioned, this won't help with the resource-specific connections.
The code above could be adapted to work inside a generator in order to
exempt that single resource from SSL certificate checking. Maybe I'll
take a look at the Cocoon code and propose a patch if it's useful.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
s10Anj8vsvxh9/lzCQTmGimQOU925yhS
=kADE
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org
