Java and invalid SSL certificates (java-trustprovideragent)

July 25, 2011 by Michael

It’s truly easy to generate a SSL certificate for example to use with tomcat (see here). This certificate is invalid as it is self-signed by you and it often doesn’t match the hostname. This is no problem when your access the project with a browser, with more or less jumps through hoops you accept the development certificate and you’re done.

If you access the site through java itself you’ll have problem with all tools that basically use an URLConnection. You’ll end up with an exception like this:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

This is will hit you for example using HtmlUnit or my oembed client.

It isn’t enough to import the certificate in question using keytool (at least, it didn’t work for me).

I search and i found this post titled “SSL Trust Provider for Java”. Interesting stuff.

This works by providing a “java.security.Provider” through the Security API accepting all certificates. Nice tip, thanks!

I didn’t want to change my sources though so i wrote a very little java agent to instrument my development setup. I also added a “javax.net.ssl.HostnameVerifier” that accepts all host names, in case the certificates cn doesn’t match the development machines hostname. If i want my vm to trust all and everything, i just add “-javaagent:full/path/to/java-trustprovideragent-0.0.1-SNAPSHOT.jar”.

The code is on github java-trustprovideragent, please feel free to use it.

Thanks to the original authors on devcentral.f5.com.

No comments yet

Post a Comment

Your email is never published. We need your name and email address only for verifying a legitimate comment. For more information, a copy of your saved data or a request to delete any data under this address, please send a short notice to michael@simons.ac from the address you used to comment on this entry.
By entering and submitting a comment, wether with or without name or email address, you'll agree that all data you have entered including your IP address will be checked and stored for a limited time by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110-4929, USA. only for the purpose of avoiding spam. You can deny further storage of your data by sending an email to support@wordpress.com, with subject “Deletion of Data stored by Akismet”.
Required fields are marked *