Thank You. I was aware of importing the certificate using keytool and the
java code to trust all certificates. I was just wondering if there was a way
to do the latter at tomcat level. Looks like thats not possible. Thank you
all for your replies.
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kareem,
>
> On 7/10/2009 2:46 PM, kareem_s_m wrote:
>> Is there a way in tomcat to ignore or trust any SSL certificate when
>> connecting to a site through https? I know there is some JAVA code for
>> it.
>> But can we do it through tomcat or JVM settings too?
>
> As others have said, this is not an issue with Tomcat; it is an issue
> with the way you are connecting to the remote server.
>
> To /actually/ answer your question, allow me to post a README (written
> by me) that we keep lying around our development servers for just this
> purpose. You'll find the text following my signature. I hope it helps:
> we use these techniques all the time in order to avoid SSL handshake
> errors.
>
> I realize that some of the items mentioned might not be useful to you,
> but others may learn something. Enjoy.
>
> - -chris
>
> ================================================================
> Getting Java to Play Nice with SSL Connections
> ================================================================
>
> This README serves to instruct the user in the fine art of
> dealing with Java and SSL certificates.
>
> These instructions will help most when you are trying to
> make an SSL connection to a remote host when that host has
> an SSL certificate that is either self-signed, used for
> demo or testing purpuses, or is signed by a certificate
> authority (CA) that you do not trust.
>
> If you do not trust the CA, you might want to think again
> about doing business with the server. In any case, read on
> for how to install such a certificate.
>
> First of all, if the server to which you are connecting has
> a valid certificate that has been signed by a well-known
> CA, then you probably don't have to do anything. Try your
> connection to see if it works. If you get an exception like
> this, then keep reading:
>
> sun.security.validator.ValidatorException: No trusted certificate found
> at
> sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
> at
> sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
> at sun.security.validator.Validator.validate(Validator.java:202)
>
> This exception is thrown because you do not trust the certificate
> that has been handed to you by the server. Assuming that you want
> the connection to work properly, you have several options.
>
> ================================================================
> Import the certificate into your own keystore, making it trusted.
> ================================================================
>
> Here is one way to do it:
>
> 1. Visit your site in SSL mode with a browser that allows you to save
> a copy of the certificate to a file (Microsoft Internet Explorer
> will allow you to do this).
>
> 2. Save the certificate to a file. With MSIE, you can go to
> "File | Properties" and then click the "Certificates" button.
> From there, choose the "details" tab and then click the
> "Copy to File" button. This will launch a short wizard to export
> the cert. Choose "DER encoded binary X.509" and save the file
> somewhere.
>
> 3. Import that cert into your keystore.
>
> $ keytool -import -file [the cert file] -keystore [the key store]
>
> Although you should be able to use the keystore of the user
> that is running the Java process (~/.keystore), I've found that
> it doesn't always work that way. You might have to modify the
> keystore for the JRE itself, which is usually located in
> $JAVA_HOME/jre/lib/security/cacerts.
>
> You might want to save a backup copy of the cacerts file before
> you start messing with it.
>
> Steps 1 and 2 can be replaced with a single openssl invocation if you
> have access to the server's private key:
>
> $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform
> DER
>
> Use the resulting file ([public cert]) in step #3. Openssl will also
> dump a public key to standard output, which can be ignored.
>
> ================================================================
> Disable Certification Validation, Avoiding the Problem
> ================================================================
>
> Note that this will disable certificate checking for all SSL
> connections, and not just those for which validation should be skipped.
> Actually, you can modify this technique for use on a per-connection
> basis if you have access to the HttpURLConnection object used for the
> connection itself.
>
> This code was written and tested on JDK 1.4.2_09.
>
> You need to execute this code before you attempt to make an SSL
> connection.
>
> import java.security.KeyManagementException;
> import java.security.NoSuchAlgorithmException;
> import javax.net.ssl.SSLContext;
> import javax.net.ssl.TrustManager;
> import javax.net.ssl.X509TrustManager;
> import javax.net.ssl.HttpsURLConnection;
>
> public static void disableSSLCertificateChecking()
> {
> TrustManager[] trustAllCerts = new TrustManager[] {
> new X509TrustManager() {
> public X509Certificate[] getAcceptedIssuers() {
> return null;
> }
> public void checkClientTrusted(X509Certificate[] certs,
> String authType) {
> }
> public void checkServerTrusted(X509Certificate[] certs,
> String authType) {
> }
> }
> };
>
> try
> {
> SSLContext sc = SSLContext.getInstance("SSL");
>
> sc.init(null, trustAllCerts, new
> java.security.SecureRandom());
>
>
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> }
> catch (KeyManagementException kme)
> {
> kme.printStackTrace();
> }
> catch (NoSuchAlgorithmException nsae)
> {
> nsae.printStackTrace();
> }
> }
>
>
> If you have access to the individial HttpURLConnection objects that will
> be used to make SSL connections, you can disable them on a per-instance
> basis by using HttpURLConnection.setSocketFactory(sc.getSocketFactory())
> instead of using HttpURLConnection.setDefaultSSLSocketFactory and
> changing the socket factory globally.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkpY8aIACgkQ9CaO5/Lv0PBmpQCePjKef1z15yIKnKvO+1L6KEAK
> WZoAn10b6D3/+tBS7tGGGPK45rvAT5XM
> =HLH5
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://www.nabble.com/Ignore--or-Trust-any-certificate-tp24432691p24444084.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
