0

I am testing javax.net.ssl.HttpsURLConnection. Because the program is making HTTPS request so I thought I have to do setSSLSocketFactory in order to make request work.

BUT the program run fine without setSSLSocketFactory setting:

Here is my code:

public class HttpsTest {

    public static void main(String[] args) {

        try {

            URL requestUrl = new URL("https://www.google.com/?gws_rd=ssl");
            HttpsURLConnection conn = (HttpsURLConnection) requestUrl.openConnection();

            // conn.setSSLSocketFactory(sslSocketFactory);

            BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream(), "UTF-8"));

            String line;
            while ((line = br.readLine()) != null) {
                System.out.println(line);
            }

            System.out.println("getResponseCode: " + conn.getResponseCode());

            br.close();
            conn.disconnect();

        } catch (Exception ex) {
            ex.printStackTrace();
        }

        // RESULT:

        // Some HTML return by https://www.google.com/?gws_rd=ssl
        // getResponseCode: 200 OK
    }
}

What do I misunderstand about Https? Why the program worked without sslSocketFactory setting? ( The HttpsURLConnection need sslSocketFactory to validate SSL/TLS public certificate sent by the Server )

Thank you!

LHA
  • 9,398
  • 8
  • 46
  • 85

2 Answers2

1

I thought I had to do setSSLSocketFactory() in order to make request work

You don't. It has a default value.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Hi EJP: What if the default factory fails to validate the public certificate sent by the server? Do I have to handle this case for my Https request? Thanks! – LHA Mar 07 '16 at 21:36
  • 1
    Then you have two choices: use setSSLSocketFactory() or add the server's cert, or one of the CAs on the server's certificate chain to the JVM's default keystore as "trusted". The procedure for the latter will be platform specific. – Stephen C Mar 07 '16 at 21:53
1

The default behavior is to use the Certificate Authorities that come with your Java installation. The fact that everything works out of the box means that the remote host is using a certificate signed by a certificate authority (is not self-signed).

You only need to override this default behavior if you want to use alternative CAs or allow a self-signed certificate to be trusted as valid certificate by Java.

Uku Loskit
  • 40,868
  • 9
  • 92
  • 93
  • You don't need to override it even then. You can just use a different truststore via system properties. There are other reasons you might want to override it though. – user207421 Mar 07 '16 at 21:27
  • i'd say that it depends greatly on the programming environment (in some evenironments it might not be possible to do so via system properties). For example, in Android. – Uku Loskit Mar 07 '16 at 21:28
  • 1
    I'm sure you can change the truststore inn Android without having to set a socket factory. – user207421 Mar 07 '16 at 21:30