Java - standard SSL certificate all-trusting code fails -
i think now, every java coder who's had experience ssl certificate trusting errors has used or @ least encountered code:
// create trust manager not validate certificate chains trustmanager[] trustallcerts; trustallcerts = new trustmanager[] { new x509trustmanager() { @override public java.security.cert.x509certificate[] getacceptedissuers() { return null; } @override public void checkclienttrusted(x509certificate[] certs, string authtype) { } @override public void checkservertrusted(x509certificate[] certs, string authtype) { } } }; // install all-trusting trust manager sslcontext sc = sslcontext.getinstance("ssl"); sc.init(null, trustallcerts, new java.security.securerandom()); httpsurlconnection.setdefaultsslsocketfactory(sc.getsocketfactory()); // create all-trusting host name verifier hostnameverifier allhostsvalid = new hostnameverifier() { @override public boolean verify(string hostname, sslsession session) { return true; } }; // install all-trusting host verifier httpsurlconnection.setdefaulthostnameverifier(allhostsvalid); so far, have used code success ignor certificate mismatches when accessing https site via ip address (don't ask me why it, it's different story). however, tried same thing https site, , found code fails following exception:
javax.net.ssl.sslhandshakeexception: java.security.cert.certificateexception: certificates not conform algorithm constraints so, question is, wrong, , can it?
i've fixed problem. looks server using md2 in certificate. far, fix know problem locating jre/lib/security/java.security file in jdk path , changing jdk.certpath.disabledalgorithms=md2 jdk.certpath.disabledalgorithms= md2 algorithm isn't disabled. looks nasty, but, sadly, couldn't find way enable md2 programmatically.
looking back, remember access it, before updated java, killed java.security file edit.
Comments
Post a Comment