Thank you a lot, Christopher!
Me blind idiot - didn't mark
HttpsURLConnection.setDefaultSSLSocketFactory is static! :)
Very simple indeed - I implemented ServletContextListener and added it
*-block-deployment.xweb in my block.
One more thing was needed:
HostnameVerifier verifyEverything = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true; }
};
HttpsURLConnection.setDefaultHostnameVerifier( verifyEverything );
This works for me now.
And yes, make this check switchable per resource would be very useful.
Thanks,
Andrei
10.09.2010 21:17, Christopher Schultz пишет:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrei,
On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
Hi Jos,
I just try to do:
<map:generate src="https://asite.with.invalid.cert/some/resource"/>
And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
right throws an exception.
Cert is invalid, so adding it trust store is questionable.
I'd like to ignore the cert check at all, something like this:
http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
And it's a big question for me what would be a best way add this
modification, preferably so I can switch cert check on and off for
different resources.
The code below will disable SSL checking for /all/ resources, and can
easily be put into a ServletContextListener in order to modify the SSL
cert checking behavior for a webapp at startup (that is, it's relatively
easy to just slap this into an existing Cocoon installation).
public static void disableSSLCertificateChecking()
throws NoSuchAlgorithmException, KeyManagementException
{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
As I mentioned, this won't help with the resource-specific connections.
The code above could be adapted to work inside a generator in order to
exempt that single resource from SSL certificate checking. Maybe I'll
take a look at the Cocoon code and propose a patch if it's useful.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
s10Anj8vsvxh9/lzCQTmGimQOU925yhS
=kADE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
