Re: [OT] Ignore or Trust any certificate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kareem,
On 7/10/2009 2:46 PM, kareem_s_m wrote:
Is there a way in tomcat to ignore or trust any SSL certificate when
connecting to a site through https? I know there is some JAVA code for it.
But can we do it through tomcat or JVM settings too?
As others have said, this is not an issue with Tomcat; it is an issue
with the way you are connecting to the remote server.
To /actually/ answer your question, allow me to post a README (written
by me) that we keep lying around our development servers for just this
purpose. You'll find the text following my signature. I hope it helps:
we use these techniques all the time in order to avoid SSL handshake errors.
I realize that some of the items mentioned might not be useful to you,
but others may learn something. Enjoy.
- -chris
Getting Java to Play Nice with SSL Connections
This README serves to instruct the user in the fine art of
dealing with Java and SSL certificates.
These instructions will help most when you are trying to
make an SSL connection to a remote host when that host has
an SSL certificate that is either self-signed, used for
demo or testing purpuses, or is signed by a certificate
authority (CA) that you do not trust.
If you do not trust the CA, you might want to think again
about doing business with the server. In any case, read on
for how to install such a certificate.
First of all, if the server to which you are connecting has
a valid certificate that has been signed by a well-known
CA, then you probably don't have to do anything. Try your
connection to see if it works. If you get an exception like
this, then keep reading:
sun.security.validator.ValidatorException: No trusted certificate found
at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
This exception is thrown because you do not trust the certificate
that has been handed to you by the server. Assuming that you want
the connection to work properly, you have several options.
Import the certificate into your own keystore, making it trusted.
Here is one way to do it:
1. Visit your site in SSL mode with a browser that allows you to save
a copy of the certificate to a file (Microsoft Internet Explorer
will allow you to do this).
2. Save the certificate to a file. With MSIE, you can go to
File | Properties and then click the Certificates button.
From there, choose the details tab and then click the
Copy to File button. This will launch a short wizard to export
the cert. Choose DER encoded binary X.509 and save the file
somewhere.
3. Import that cert into your keystore.
$ keytool -import -file [the cert file] -keystore [the key store]
Although you should be able to use the keystore of the user
that is running the Java process (~/.keystore), I've found that
it doesn't always work that way. You might have to modify the
keystore for the JRE itself, which is usually located in
$JAVA_HOME/jre/lib/security/cacerts.
You might want to save a backup copy of the cacerts file before
you start messing with it.
Steps 1 and 2 can be replaced with a single openssl invocation if you
have access to the server's private key:
$ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER
Use the resulting file ([public cert]) in step #3. Openssl will also
dump a public key to standard output, which can be ignored.
Disable Certification Validation, Avoiding the Problem
Note that this will disable certificate checking for all SSL
connections, and not just those for which validation should be skipped.
Actually, you can modify this technique for use on a per-connection
basis if you have access to the HttpURLConnection object used for the
connection itself.
This code was written and tested on JDK 1.4.2_09.
You need to execute this code before you attempt to make an SSL connection.
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.net.ssl.HttpsURLConnection;
public static void disableSSLCertificateChecking()
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
Re: [OT] Ignore or Trust any certificate
Thank You. I was aware of importing the certificate using keytool and the java code to trust all certificates. I was just wondering if there was a way to do the latter at tomcat level. Looks like thats not possible. Thank you all for your replies. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kareem, On 7/10/2009 2:46 PM, kareem_s_m wrote: Is there a way in tomcat to ignore or trust any SSL certificate when connecting to a site through https? I know there is some JAVA code for it. But can we do it through tomcat or JVM settings too? As others have said, this is not an issue with Tomcat; it is an issue with the way you are connecting to the remote server. To /actually/ answer your question, allow me to post a README (written by me) that we keep lying around our development servers for just this purpose. You'll find the text following my signature. I hope it helps: we use these techniques all the time in order to avoid SSL handshake errors. I realize that some of the items mentioned might not be useful to you, but others may learn something. Enjoy. - -chris Getting Java to Play Nice with SSL Connections This README serves to instruct the user in the fine art of dealing with Java and SSL certificates. These instructions will help most when you are trying to make an SSL connection to a remote host when that host has an SSL certificate that is either self-signed, used for demo or testing purpuses, or is signed by a certificate authority (CA) that you do not trust. If you do not trust the CA, you might want to think again about doing business with the server. In any case, read on for how to install such a certificate. First of all, if the server to which you are connecting has a valid certificate that has been signed by a well-known CA, then you probably don't have to do anything. Try your connection to see if it works. If you get an exception like this, then keep reading: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107) at sun.security.validator.Validator.validate(Validator.java:202) This exception is thrown because you do not trust the certificate that has been handed to you by the server. Assuming that you want the connection to work properly, you have several options. Import the certificate into your own keystore, making it trusted. Here is one way to do it: 1. Visit your site in SSL mode with a browser that allows you to save a copy of the certificate to a file (Microsoft Internet Explorer will allow you to do this). 2. Save the certificate to a file. With MSIE, you can go to File | Properties and then click the Certificates button. From there, choose the details tab and then click the Copy to File button. This will launch a short wizard to export the cert. Choose DER encoded binary X.509 and save the file somewhere. 3. Import that cert into your keystore. $ keytool -import -file [the cert file] -keystore [the key store] Although you should be able to use the keystore of the user that is running the Java process (~/.keystore), I've found that it doesn't always work that way. You might have to modify the keystore for the JRE itself, which is usually located in $JAVA_HOME/jre/lib/security/cacerts. You might want to save a backup copy of the cacerts file before you start messing with it. Steps 1 and 2 can be replaced with a single openssl invocation if you have access to the server's private key: $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER Use the resulting file ([public cert]) in step #3. Openssl will also dump a public key to standard output, which can be ignored. Disable Certification Validation, Avoiding the Problem Note that this will disable certificate checking for all SSL connections, and not just those for which validation should be skipped. Actually, you can modify this technique for use on a per-connection basis if you have access to the HttpURLConnection object used for the connection itself. This code was written and tested on JDK 1.4.2_09. You need to execute this code before you attempt to make an SSL connection. import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import javax.net.ssl.SSLContext;
RE: [OT] Ignore or Trust any certificate
-Original Message- From: kareem_s_m Sent: Saturday, July 11, 2009 17:38 Thank You. I was aware of importing the certificate using keytool and the java code to trust all certificates. I was just wondering if there was a way to do the latter at tomcat level. Looks like thats not possible. Thank you all for your replies. So is your question: If a connection is made, and the certificate is not trusted, can it be added (maybe temporarily) to the trusted list at runtime? The other option of ignoring the missing trust at runtime was decribed in the README, very well I may add. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kareem, On 7/10/2009 2:46 PM, kareem_s_m wrote: Is there a way in tomcat to ignore or trust any SSL certificate when connecting to a site through https? I know there is some JAVA code for it. But can we do it through tomcat or JVM settings too? As others have said, this is not an issue with Tomcat; it is an issue with the way you are connecting to the remote server. To /actually/ answer your question, allow me to post a README (written by me) that we keep lying around our development servers for just this purpose. You'll find the text following my signature. I hope it helps: we use these techniques all the time in order to avoid SSL handshake errors. I realize that some of the items mentioned might not be useful to you, but others may learn something. Enjoy. - -chris Getting Java to Play Nice with SSL Connections This README serves to instruct the user in the fine art of dealing with Java and SSL certificates. These instructions will help most when you are trying to make an SSL connection to a remote host when that host has an SSL certificate that is either self-signed, used for demo or testing purpuses, or is signed by a certificate authority (CA) that you do not trust. If you do not trust the CA, you might want to think again about doing business with the server. In any case, read on for how to install such a certificate. First of all, if the server to which you are connecting has a valid certificate that has been signed by a well-known CA, then you probably don't have to do anything. Try your connection to see if it works. If you get an exception like this, then keep reading: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(Simpl eValidator.java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleVa lidator.java:107) at sun.security.validator.Validator.validate(Validator.java:202) This exception is thrown because you do not trust the certificate that has been handed to you by the server. Assuming that you want the connection to work properly, you have several options. Import the certificate into your own keystore, making it trusted. Here is one way to do it: 1. Visit your site in SSL mode with a browser that allows you to save a copy of the certificate to a file (Microsoft Internet Explorer will allow you to do this). 2. Save the certificate to a file. With MSIE, you can go to File | Properties and then click the Certificates button. From there, choose the details tab and then click the Copy to File button. This will launch a short wizard to export the cert. Choose DER encoded binary X.509 and save the file somewhere. 3. Import that cert into your keystore. $ keytool -import -file [the cert file] -keystore [the key store] Although you should be able to use the keystore of the user that is running the Java process (~/.keystore), I've found that it doesn't always work that way. You might have to modify the keystore for the JRE itself, which is usually located in $JAVA_HOME/jre/lib/security/cacerts. You might want to save a backup copy of the cacerts file before you start messing with it. Steps 1 and 2 can be replaced with a single openssl invocation if you have access to the server's private key: $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER Use the resulting file ([public cert]) in step #3. Openssl will also dump a public key to standard output, which can be ignored. Disable Certification Validation, Avoiding the Problem Note that this will disable certificate checking
