I'm new to Java Web Start and I'm currently facing some strange behavior on an applet I'm working on for a private server.
I am trying to dynamically check whether to ignore or not a server's SSL certificate before a download happens. To do that, I'm using
public class TrustModifier {
private static SSLSocketFactory factory;
private static final HostnameVerifier TRUSTING_HOSTNAME_VERIFIER = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
public TrustModifier() {
}
public static void relaxHostChecking(URLConnection conn) {
if (conn instanceof HttpsURLConnection) {
try {
HttpsURLConnection httpsConnection = (HttpsURLConnection)conn;
httpsConnection.setSSLSocketFactory(getFactory());
httpsConnection.setHostnameVerifier(TRUSTING_HOSTNAME_VERIFIER);
} catch (Exception var2) {
}
}
}
private static synchronized SSLSocketFactory getFactory() throws Exception {
if (factory == null) {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init((KeyManager[])null, new X509TrustManager[]{new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}}, (SecureRandom)null);
factory = ctx.getSocketFactory();
}
return factory;
}
}
The applet works fine when I'm trying to ignore the certificates, but when I don't want to ignore them, the download still happens even though the server has an untrusted (self-signed) certificate.
Doing some research I came across the possibility of Java binding its trusted certificates with MacOS's trusted certs, but haven't been able to verify that. My Mac is set to Always trust my server's certificate. Does anyone know how the Java trusted certs are exactly handled in MacOS and if that might be a reason for a download to still happen even if the server is working with a self-signed cert?