SSLSocketFactory in java - McMap

About

SSLSocketFactory in java

Asked 29/3, 2012 at 8:16 Answered 29/3, 2012 at 8:35

Solved java ssl https

B

1

14

What role does SSLSocketFactory class in java play when using HttpsURLConnection? The java docs is not of much help.

Are there any ways to bind the keystore and the truststore to with the sslsocketfactory object, to make it point to the keystore and the truststore?

Otherwise how will the connection know the location of the keystore and the truststore(I don't want to use java System Properties)?

Berate answered 29/3, 2012 at 8:16 Comment(0)

I

14

It is done through SSLContext. You init one and then use it's socket factory to create HttpsConnection instances.

Here is rough example of how I manage this in my application:

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(myKeyManagerFactory.getKeyManagers(), myTrustManagerArray, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

after that your openConnection() calls for https sites will use the sslsocketfactory you initialized here.

Here code for TrustManager to use in your ssl context wich will trust all certificates:

TrustManager[] myTrustManagerArray = new TrustManager[]{new TrustEveryoneManager()};

class TrustEveryoneManager implements X509TrustManager {
    public void checkClientTrusted(X509Certificate[] arg0, String arg1){}
    public void checkServerTrusted(X509Certificate[] arg0, String arg1){}
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Upd from Bruno: beware, trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks

Irra answered 29/3, 2012 at 8:35 Comment(8)

your code works if setDefaultSSLSocketFactory() is replaced with setSSLSocketFacory(). setDefaultSSLSocketFactory() throws the following exception. " javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExce ption: unable to find valid certification path to requested target" – Berate 29/3, 2012 at 9:28

It works with DefaultSSLSocketFactory for me, but good to know for future 8) – Irra 29/3, 2012 at 9:38

I think it can not build a proper certificate chain for certificate it checks. Most probably you should import the root certificate of the site you are connecting to into your keystore. – Irra 29/3, 2012 at 9:55

Or may be try to make trustManager that trusts all certificates. I added the code for this in my answer above. – Irra 29/3, 2012 at 10:5

You should point out that trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks. – Preempt 29/3, 2012 at 10:13

Certainly, it is useful just for testing purpose only. – Irra 29/3, 2012 at 10:27

(I was just pointing this out, otherwise people tend to copy/paste without thinking about what it does. I prefer using my own test CA for testing, it's more realistic and less likely to leave insecure code in the production code.) – Preempt 29/3, 2012 at 11:3

I have posted a similar question for non-HTTPS connections. #60571512 – Tuberculous 6/3, 2020 at 20:17

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.