aspose file tools*
The moose likes Security and the fly likes Invalidate trusting certificate control Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Invalidate trusting certificate control " Watch "Invalidate trusting certificate control " New topic
Author

Invalidate trusting certificate control

Barry Brashear
Ranch Hand

Joined: Jun 05, 2001
Posts: 303
I have a small intranet web applcation and I would like to invalidate the trusting certificate control so I won't get the "untrusted server cert chain" exception. Can anyone tell me how to do this?
Thanks,
Barry
Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
Hej,
I'm assuming that you're talking about a client making https connection to your webapp, and it's failing at the client end because it doesn't trust the server (or vice versa)
1) Just import the remote server certificate into your local keystore.
2) Implement X509TrustManager so you have a simple implementation that always returns true...
You can then use a new instance of this trust manager to initialise your ssl context...
for instance.

Hope that helps
L


I have no java certifications. This makes me a bad programmer. Ignore my post.
Barry Brashear
Ranch Hand

Joined: Jun 05, 2001
Posts: 303
Forgive my ingorance but how do I implement X509TrustManager. I tried importing the following:
import com.sun.net.ssl.TrustManager;
import com.sun.net.ssl.X509KeyManager;
import com.sun.net.ssl.X509TrustManager;
but the lines :
tm[0] = (TrustManager) new AlwaysTrustManager();
and
HttpsURLConnection.setDefaultSocketFactory(ctx.getSocketFactory());
don't compile.
Thanks.
Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
Hej,
AlwaysTrustManager is a reference to the java source file that you will have created that implements X509TrustManager...
An example for AlwaysTrustManager that should compile under jdk1.3.1

2) The eagle-eyed amongst us will have spotted that HttpsURLConnection.setDefaultSocketFactory(ctx) is of course, most likely incorrect. If you consult the JSEE 1.0.2 API documentation, you will have immediately found that it should have been
HttpsURLConnection.setDefaultSSLSocketFactory(ctx);


Of course I didn't mention in my previous post, that both option 1 and option 2 should be perfectly valid solutions on their own.
Why you want to ignore the server certificate chain is a decision that you need to make carefully. The point about using ssl is that you probably want to...
a) Ensure that the server (or client) is who they say they are, hence the certificate chain verification...
b) Ensure that the traffic between the two parties is encrypted.

If it is simply an (small) intranet application, then why do you care about security?
L
Barry Brashear
Ranch Hand

Joined: Jun 05, 2001
Posts: 303
Personally I don't care, but it seems the program does. When I create a URL using an HTTPS url I get a javax.net.ssl.SSLExceotion
untrusted server cert chain.
There is only 1 link in this intranet application that has uses HTTPS. If it's the users first time and needs to set up a password, they will go here.
Hence the HTTPS.
If I choose option 1 instead of 2, how do I get the certificate in each persons computer that will use this app. That's why I thought of the 2nd one. By the way, when I ran your example, it said it couldn't find JKS as in the line :
KeyManagerFactory kmf = KeyManagerFactory.getInstance("JKS");
Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
I'm not surprised that JKS doesn't work, it's one of the dangers of you trusting my code.
You might want to list all the KeyManagerFactory types that are made avaiable by the security providers installed in your JDK.
look at Security.getProviders();
Select one of the ones that are listed in the form
KeyManagerFactory.SOMETHING_OR_OTHER
Barry Brashear
Ranch Hand

Joined: Jun 05, 2001
Posts: 303
One more thing to add. My application is the browser, not what is being accessed by a browser.
I am writing a "speaking" browser that employes will use to access intranet web pages. One of these pages submits a form to a servlet. When I submit the form nothing seems to happen. Any ideas?
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Invalidate trusting certificate control