Hi,
I'm using J2EE 1.4 and J2SE 1.4.2, and have a requirement to connect to a Web Service using SSL, but with hostname verification turned off. Can anyone please provide some pointers on how to achieve this, with any modern Application Server or perhaps embedding Apache Axis?
I'm guessing I need to override the HostnameVerifier used by the HTTPS URL connector, but that seems to be lacking a system property to override this without altering any code?
I've found a setting that enables this in WebLogic, is there any other way of doing this?
Thanks,
Chris Nappin
-
Disabling SSL hostname verification (2 messages)
- Posted by: Chris Nappin
- Posted on: June 14 2005 04:01 EDT
Threaded Messages (2)
- Disabling SSL hostname verification by Nigel O'Reilly on June 14 2005 16:06 EDT
- Disabling SSL hostname verification by Nigel O'Reilly on June 14 2005 16:17 EDT
-
Disabling SSL hostname verification[ Go to top ]
- Posted by: Nigel O'Reilly
- Posted on: June 14 2005 16:06 EDT
- in response to Chris Nappin
Something like this work for you?
try {
// get ssl context
SSLContext sc = SSLContext.getInstance("SSL");
// Create empty HostnameVerifier
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName,SSLSession session) {
return true;
}
};
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
sc.init(null, trustAllCerts, new java.security.SecureRandom());
SSLSocketFactory sslSocketFactory = sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
HttpsURLConnection.setDefaultHostnameVerifier(hv);
URL u = new URL( "http://somehost/service" );
URLConnection uc = u.openConnection();
HttpsURLConnection connection = (HttpsURLConnection)uc;
} catch (Exception e) {
System.out.println("Exception: " + e);
} -
Disabling SSL hostname verification[ Go to top ]
- Posted by: Nigel O'Reilly
- Posted on: June 14 2005 16:17 EDT
- in response to Nigel O'Reilly
I should have noted that I don't know of a way to override the default hostname verifier without altering any code. I've run into this problem many times myself.