Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Invalidate trusting certificate control

 
Barry Brashear
Ranch Hand
Posts: 303
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a small intranet web applcation and I would like to invalidate the trusting certificate control so I won't get the "untrusted server cert chain" exception. Can anyone tell me how to do this?
Thanks,
Barry
 
Lewin Chan
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hej,
I'm assuming that you're talking about a client making https connection to your webapp, and it's failing at the client end because it doesn't trust the server (or vice versa)
1) Just import the remote server certificate into your local keystore.
2) Implement X509TrustManager so you have a simple implementation that always returns true...
You can then use a new instance of this trust manager to initialise your ssl context...
for instance.

Hope that helps
L
 
Barry Brashear
Ranch Hand
Posts: 303
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Forgive my ingorance but how do I implement X509TrustManager. I tried importing the following:
import com.sun.net.ssl.TrustManager;
import com.sun.net.ssl.X509KeyManager;
import com.sun.net.ssl.X509TrustManager;
but the lines :
tm[0] = (TrustManager) new AlwaysTrustManager();
and
HttpsURLConnection.setDefaultSocketFactory(ctx.getSocketFactory());
don't compile.
Thanks.
 
Lewin Chan
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hej,
AlwaysTrustManager is a reference to the java source file that you will have created that implements X509TrustManager...
An example for AlwaysTrustManager that should compile under jdk1.3.1

2) The eagle-eyed amongst us will have spotted that HttpsURLConnection.setDefaultSocketFactory(ctx) is of course, most likely incorrect. If you consult the JSEE 1.0.2 API documentation, you will have immediately found that it should have been
HttpsURLConnection.setDefaultSSLSocketFactory(ctx);


Of course I didn't mention in my previous post, that both option 1 and option 2 should be perfectly valid solutions on their own.
Why you want to ignore the server certificate chain is a decision that you need to make carefully. The point about using ssl is that you probably want to...
a) Ensure that the server (or client) is who they say they are, hence the certificate chain verification...
b) Ensure that the traffic between the two parties is encrypted.

If it is simply an (small) intranet application, then why do you care about security?
L
 
Barry Brashear
Ranch Hand
Posts: 303
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally I don't care, but it seems the program does. When I create a URL using an HTTPS url I get a javax.net.ssl.SSLExceotion
untrusted server cert chain.
There is only 1 link in this intranet application that has uses HTTPS. If it's the users first time and needs to set up a password, they will go here.
Hence the HTTPS.
If I choose option 1 instead of 2, how do I get the certificate in each persons computer that will use this app. That's why I thought of the 2nd one. By the way, when I ran your example, it said it couldn't find JKS as in the line :
KeyManagerFactory kmf = KeyManagerFactory.getInstance("JKS");
 
Lewin Chan
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not surprised that JKS doesn't work, it's one of the dangers of you trusting my code.
You might want to list all the KeyManagerFactory types that are made avaiable by the security providers installed in your JDK.
look at Security.getProviders();
Select one of the ones that are listed in the form
KeyManagerFactory.SOMETHING_OR_OTHER
 
Barry Brashear
Ranch Hand
Posts: 303
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One more thing to add. My application is the browser, not what is being accessed by a browser.
I am writing a "speaking" browser that employes will use to access intranet web pages. One of these pages submits a form to a servlet. When I submit the form nothing seems to happen. Any ideas?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic