Accept server's self-signed SSL certificate in Java client

java

ssl

truststore

trustmanager

byAlex Kataev·Nov 20, 2024

To trust all certificates when dealing with self-signed SSL certificates in Java, use a custom TrustManager. Bypass certificate validation by implementing X509TrustManager. Set it to the SSLContext, and apply this custom SSLSocketFactory to your connection.

// Ignoring all certificate validity checks like a rebel!
TrustManager[] trustAllCerts = new TrustManager[]{
  new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain, String authType) {}
    public void checkServerTrusted(X509Certificate[] chain, String authType) {}
    public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
  }
};

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

Heads up!: Disable SSL validation for testing; it's the Wild Wild West for production.

Securing interactions with self-signed certificates

When it comes to SSL/TLS, Java's client is picky. It wants to trust a server's certificate. Self-signed certificates lack the endorsement of established Certificate Authorities (CAs), which makes them less popular at Java's certificate party. Yet, you might need to accept a self-signed certificate.

Adding certificates into the holiest of holies - Java's KeyStore

Manually adding your server's self-signed certificate into Java's KeyStore as a TrustStore, before you even attempt to bypass all SSL checks, is a good first step.

The Java Key Management Utility, keytool is your buddy here:

keytool -import -alias "myserver" -file myserver.crt -keystore mycacerts.jks -storepass changeit

Customising your TrustManager to be a picky eater

You want to become a custom TrustManager that critiques certificate chains, like a wine maker evaluating grapes for the best vintage. Trust the self-signed certificate if it matches the one within your TrustStore.

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("mycacerts.jks"); // Feeding my TrustStore
ks.load(fis, "storepass".toCharArray()); 

tmf.init(ks); // Initialize TrustManager with KeyStore
SSLContext sc = SSLContext.getInstance("TLS"); 
sc.init(null, tmf.getTrustManagers(), new SecureRandom()); // Voila, custom SSL Context!

Navigating with Apache HttpClient

If you're a proud user of Apache HttpClient 4.5+, you can use the built-in SSLContext and TrustSelfSignedStrategy magic to navigate the murky realm of self-signed certificates.

SSLContextBuilder sslContextBuilder = new SSLContextBuilder()
    .loadTrustMaterial(new TrustSelfSignedStrategy());

Together we build the safest HttpClient:

CloseableHttpClient httpclient = HttpClients.custom()
        .setSSLSocketFactory(new SSLConnectionSocketFactory(sslContextBuilder.build()))
        .build();

Let's talk about trust issues: Hostname verification

SSL/TLS and hostname verification are best friends. Java dutifully makes sure the certificate's Common Name matches the server's hostname.

When (and why) to break the trust

You might need to disable hostname verification, but only if you're not dealing with real word scenarios. Here's the trick:

HttpsURLConnection.setDefaultHostnameVerifier ((hostname, session) -> true);

A trust fall - A safer approach to hostname verification

Adding a logic in your HostnameVerifier to only accept the expected hostname of your self-signed certificate, instead of disabling it altogether, keeps the trust intact along with security.

Best Practices and Recommendations

Take the high road: Use a CA-signed certificate for production.
Check Environment Compatibility: Solutions may differ according to the server environment (JBoss, Tomcat, etc).
Targeted Trust: Limit trust alterations where they are necessary and avoid impacting the default SSL factory.

explain-codes / Java / Accept server's self-signed SSL certificate in Java client

Linked

Java HTTPS Client Certificate Authentication



Problems using Maven and SSL behind proxy



How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?



"pkix path building failed" and "unable to find valid certification path to requested target"



How to import an existing X.509 certificate and private key in Java keystore to use in SSL?



Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?



Trusting all certificates using HttpClient over HTTPS



Securing interactions with self-signed certificates Let's talk about trust issues: Hostname verification Best Practices and Recommendations