4

I see on this page how to do https

http://sonatype.github.com/async-http-client/ssl.html

but what if I just want to ignore and accept any certificate as in this environment I don't care about man in the middle right now since it is in an isolated environment and I am just doing some stuff for automated testing on QA data.

Maybe my question instead is how to fake out the SSL in java's SSL stack so it accepts any cert on the other end(this is not bi-directional since it is https).

The common code for the client in the above link is

    char[] keyStorePassword = "changeit".toCharArray();
    KeyStore ks = KeyStore.getInstance("JKS");
    //ks.load(keyStoreStream, keyStorePassword);

    char[] certificatePassword = "changeit".toCharArray();
    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
    kmf.init(ks, certificatePassword);

    KeyManager[] keyManagers = kmf.getKeyManagers();
    javax.net.ssl.TrustManager tm = new MyTrustMgr();
    javax.net.ssl.TrustManager[] trustManagers = new javax.net.ssl.TrustManager[]{tm };
    SecureRandom secureRandom = new SecureRandom();

    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(keyManagers, trustManagers, secureRandom);
    return ctx;

okay, working off that, I found out this which is still not working for some reason

    X509TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] xcs,
                String string) throws CertificateException {
        }
        public void checkServerTrusted(X509Certificate[] xcs,
                String string) throws CertificateException {
        }
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(null, new TrustManager[] { tm }, null);
    return ctx;

thanks, Dean

Charles
  • 50,943
  • 13
  • 104
  • 142
Dean Hiller
  • 19,235
  • 25
  • 129
  • 212

1 Answers1

7

5 years late to the party, but I was facing the same problem today and your question came up pretty high in Google searches. So maybe my answer will help someone else.

Taking your code of creating the SSLContext, this code will create an AsyncHttpClient that will ignore (or blindly accept) all SSL certificates:

    AsyncHttpClientConfig config = new AsyncHttpClientConfig.Builder()
            .setSSLContext(createSslContext())
            .build();

    httpClient = new AsyncHttpClient(config);

The createSslContext method is, as mentioned above, an exact copy & paste of the code you had in your answer:

    private SSLContext createSslContext() throws Exception {
        X509TrustManager tm = new X509TrustManager() {

            public void checkClientTrusted(X509Certificate[] xcs,
                                       String string) throws CertificateException {
            }

            public void checkServerTrusted(X509Certificate[] xcs,
                                       String string) throws CertificateException {
            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };

        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(null, new TrustManager[] { tm }, null);
        return ctx;
    }

The above examples work with Async HTTP Client 1.9.40 & Java 1.8

bogdan
  • 365
  • 3
  • 9