0

I have created a webcrawler, that will return the page for a URL. For some URLs I get : javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

The purpose of this is just to parse the webpage returned. So I am looking at ways to bypass. The SSL verification

 (s, sslSession) -> true

So I create a SSLConnectionSocketFactory

private SSLConnectionSocketFactory sslFactory() {
             SSLContext sslcontext = null;
             try {
                    sslcontext = SSLContexts.custom().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();

             } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
             }
              SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslcontext, (s, sslSession) -> true);

             return sslConnectionSocketFactory;
       }

And then add it to the HTMLClient

var clientBuilder  = HttpClientBuilder.create()
        .setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build())
                .setRedirectStrategy(new LaxRedirectStrategy())
                .setDefaultCookieStore(cookieStore)
                .setSSLSocketFactory(sslFactory());

According to what I have researched this should bypass SSL verification, but it still throws the exception. I am using httpclient-4.5.13.

I understand the security implications, but this is parsing a webpage, it will not be sending any data. Thanks for any help.

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
Anton Cavanaugh
  • 719
  • 1
  • 4
  • 14
  • 1
    httpclient-4.5.13 is Oct 06, 2020 so I assume the alert is "new client, old server", if your protocols don't match, the two won't understand each other before the question of cert verification even comes up. If you want to enable old protocols: https://stackoverflow.com/questions/31608243/how-to-enable-sslv3-with-apache-httpclient –  Nov 02 '21 at 11:55
  • Thank you for your reply. My mind was wandering in the same direction. . I am going to try the code in the link you supplied. – Anton Cavanaugh Nov 02 '21 at 12:47
  • Thanks for your help sadly it did not work SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory( SSLContext.getDefault(), // new String[] { "SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"}, new String[] { "SSLv3","TLSv1.2"}, null, (s, sslSession) -> true); still returns javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version – Anton Cavanaugh Nov 02 '21 at 15:12

1 Answers1

0

Ok this works with httpclient-4.5.13 java 11, it wont work with Java 16. So set trusted certificates.

private SSLContext SSLConnection() throws NoSuchAlgorithmException, KeyManagementException {
        TrustManager[] trustAllCerts = new TrustManager[] {
                   new X509TrustManager() {
                      public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return null;
                      }
                      public void checkClientTrusted(X509Certificate[] certs, String authType) {  }
                      public void checkServerTrusted(X509Certificate[] certs, String authType) {  }
                   }
                };
                SSLContext sc = SSLContext.getInstance("SSL");
                sc.init(null, trustAllCerts, new java.security.SecureRandom());
                return sc;
    }

And add it to clientBuilder

 var clientBuilder  = HttpClientBuilder.create()
                 .setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build())
                    .setRedirectStrategy(new LaxRedirectStrategy())
                    .setDefaultCookieStore(cookieStore)
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                    .setSSLContext(SSLConnection());
Anton Cavanaugh
  • 719
  • 1
  • 4
  • 14