Is there a java setting for disabling certificate validation? [duplicate]

I received this error while trying to start up an application:

Sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: java.net.UnknownHostException:oscp.thawte.com

The application is behind a closed network and won't ever be able to get to oscp.thawte.com. Is there a java setting that can disable this?

0

7 Answers

-Dcom.sun.net.ssl.checkRevocation=false

9

Not exactly a setting but you can override the default TrustManager and HostnameVerifier to accept anything. Not a safe approach but in your situation, it can be acceptable.

Complete example : Fix certificate problem in HTTPS

1

Use cli utility keytool from java software distribution for import (and trust!) needed certificates

Sample:

  1. From cli change dir to jre\bin

  2. Check keystore (file found in jre\bin directory)
    keytool -list -keystore ..\lib\security\cacerts
    Enter keystore password: changeit

  3. Download and save all certificates chain from needed server.

  4. Add certificates (before need to remove "read-only" attribute on file "..\lib\security\cacerts") keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file "r:\root.crt"

accidentally I found such a simple tip. Other solutions require the use of InstallCert.Java and JDK

source:

In addition to the answers above. You can do it programmatically by implementing the TrustManager:

TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} } }; SSLContext sc=null; try { sc = SSLContext.getInstance("SSL"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } try { sc.init(null, trustAllCerts, new java.security.SecureRandom()); } catch (KeyManagementException e) { e.printStackTrace(); } HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); // Create all-trusting host name verifier HostnameVerifier validHosts = new HostnameVerifier() { @Override public boolean verify(String arg0, SSLSession arg1) { return true; } }; // All hosts will be valid HttpsURLConnection.setDefaultHostnameVerifier(validHosts);

However this is not a good practice for production.

This example on How to disable SSL certificat validation in Java contains a utility class you can copy in your project.

4

On my Mac that I'm sure I'm not going to allow java anyplace other than a specific site, I was able to use Preferences->Java to bring up the Java control panel and turned the checking off. If DLink ever fixes their certificate, I'll turn it back on.

Java control panel - Advanced

1

In Axis webservice and if you have to disable the certificate checking then use below code:

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");

It is very simple .In my opinion it is the best way for everyone

 Unirest.config().verifySsl(false); HttpResponse<String> response = null; try { Gson gson = new Gson(); response = Unirest.post("your_api_url") .header("Authorization", "Basic " + "authkey") .header("Content-Type", "application/json") .body("request_body") .asString(); System.out.println("------RESPONSE -------"+ gson.toJson(response.getBody())); } catch (Exception e) { System.out.println("------RESPONSE ERROR--"); e.printStackTrace(); } }
1

You Might Also Like