Discussions

XML & Web services: Disabling SSL hostname verification

  1. Disabling SSL hostname verification (2 messages)

    Hi,

    I'm using J2EE 1.4 and J2SE 1.4.2, and have a requirement to connect to a Web Service using SSL, but with hostname verification turned off. Can anyone please provide some pointers on how to achieve this, with any modern Application Server or perhaps embedding Apache Axis?

    I'm guessing I need to override the HostnameVerifier used by the HTTPS URL connector, but that seems to be lacking a system property to override this without altering any code?

    I've found a setting that enables this in WebLogic, is there any other way of doing this?

    Thanks,

    Chris Nappin
  2. Something like this work for you?

    try {
    // get ssl context
    SSLContext sc = SSLContext.getInstance("SSL");

    // Create empty HostnameVerifier
    HostnameVerifier hv = new HostnameVerifier() {
    public boolean verify(String urlHostName,SSLSession session) {
    return true;
    }
    };

    // Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
    return null;
    }
    public void checkClientTrusted(
    java.security.cert.X509Certificate[] certs, String authType) {
    }
    public void checkServerTrusted(
    java.security.cert.X509Certificate[] certs, String authType) {
    }
    }
    };

    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    SSLSocketFactory sslSocketFactory = sc.getSocketFactory();

    HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
    HttpsURLConnection.setDefaultHostnameVerifier(hv);

    URL u = new URL( "http://somehost/service" );
    URLConnection uc = u.openConnection();
    HttpsURLConnection connection = (HttpsURLConnection)uc;


    } catch (Exception e) {
    System.out.println("Exception: " + e);
    }
  3. I should have noted that I don't know of a way to override the default hostname verifier without altering any code. I've run into this problem many times myself.