Access denied ("javax.net.ssl.SSLPermission" "setDefaultSSLContext")

Question

I am using below code to trust all certificates and the code is running in a containerized environment, I am getting exception as Access denied ("javax.net.ssl.SSLPermission" "setDefaultSSLContext") and same code which is running on normal tomcat server is working fine

 URL destinationURL = null;
    SSLContext context = null;
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                    @Override
                    public X509Certificate[] getAcceptedIssuers() {
                        //return new X509Certificate[1];
                        return null;
                    }
                    @Override
                    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        //DO
                    }
                    @Override
                    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        //DO
                    }
                } 
                };
            try {
                context = SSLContext.getInstance("SSL");
                context.init(null, trustAllCerts, null);
                SSLContext.setDefault(context);

                //proxy details here
                    destinationURL = new URL('url');
                    HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
                    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
                        public boolean verify(String hostname, SSLSession session) {
                            
                            return true;
                    }
                });
                
            } catch (Exception e) {
                e.printStackTrace();

}

You should not use this insecure code. If you don't want it secure, why use TLS at all? — user207421, Nov 03 '20 at 11:10

OrangeDog · Answer 1 · 2020-11-03T10:23:21.223

From SSLContext:

setDefault

Throws: SecurityException - if a security manager exists and its checkPermission method does not allow SSLPermission("setDefaultSSLContext")

This permission is not granted by default, as it is considered unsafe. From SSLPermission:

Malicious code can set a context that monitors the opening of connections or the plaintext data that is transmitted.

The recommended way to change the default SSLContext is via JVM start-up options. However, you're attempting to effectively disable all trust, which is also unsafe and not supported via system properties.

If you're really really sure you want to do this, you'll need to grant your application the necessary permissions. This would e.g. be via a policy file:

grant codeBase "file:/home/ajay/myunsafecode" {
    permission javax.net.ssl.SSLPermission "setDefaultSSLContext";
};

Or, just don't change the default SSLContext and use your unsafe one directly.

(all links for JDK 11)

score 0 · Answer 2 · answered Nov 03 '20 at 08:48

0

You can use specified SSLContext to build socketfactory which can be used for URL Connections, changing the default one is not recommended.

answered Nov 03 '20 at 08:48

piii

21
3

Access denied ("javax.net.ssl.SSLPermission" "setDefaultSSLContext")

2 Answers2

setDefault