Reputation: 1967
Trust not trusted certificates and skip hostname verification
I have a server witch is running a https web server. When i enter it with my browser i get errors that the domain does not match (because i use IP of the server) and the cerificate is not trusted. Now i need to send GET requests to that server using apache httpclient 4.2.1. I found a piece of code online that helps me:
httpClient = new DefaultHttpClient(a, b);
SSLSocketFactory sslSocketFactory = new SSLSocketFactory(
new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
return true;
}
}, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient.getConnectionManager().getSchemeRegistry().register(new Scheme("https", 443, sslSocketFactory));
Because i dont fully understand this code i would like to ask some questions.
1) Do i understand correctly that the first parameter of SSlSocetFactory is to bypass the "not trusted" part of my certificate problem? It basically just returns that every certificate is trusted?
2) The second parameter is probably needed because my cerificate hostname does not mach the URL?
3)What exactly is this SchemeRegistry and Scheme? I am making a new Scheme with parameters "https", 443 and my previously created SSLSocketFactory. I understand that this Scheme is for https connections, it uses the rules i defined in sslSocketFactory but whats the port for? Does this work for https connections that are only on port 443 or also other ports? If my port is different should i type in different port there?
4) The most important question: if i were to use a trusted certificate then how could i only skip hostname verification and not change the trust strategy?
Upvotes: 1
Views: 3847
Answers (1)
Reputation: 123300
1) Do i understand correctly that the first parameter of SSlSocetFactory is to bypass the "not trusted" part of my certificate problem? It basically just returns that every certificate is trusted?
Yes. Which is a very bad idea.
2) The second parameter is probably needed because my cerificate hostname does not mach the URL?
Yes. Which is a very bad idea too.
... but whats the port for
This is the default port for the protocol, i.e. if you give a https://host/ URL and not https://host:port/ than it knows that the port will be 443.
4) The most important question: if i were to use a trusted certificate then how could i only skip hostname verification and not change the trust strategy?
It would be a very bad idea do disable this important part of the validation. In effect you would allow any certificate signed by a trusted CA to be used instead of your own certificate. Since it is easy to own some domain and get a trusted certificate for it you would thus open yourself to easy man-in-the-middle attacks.
If it is really impossible to use the correct certificate (why do you use IP instead of name anyway?) then you should use certificate or public key pinning to trust only this certificate. See OWASP for more information including sample code.
Upvotes: 4
Related Questions
- Java SSL: how to disable hostname verification
- How to bypass ssl certificate checking in java
- How to use HostnameVerifier?
- Hostname in certificate didn't match?
- All trusting HostnameVerifier causes SSL errors with HttpURLConnection
- Certificate hostname verification in java - subject alternative names
- Skip only hostname verification with Apache HttpClient
- Ignoring hostname verification in Android SSL Sockets without HttpsUrlConnection
- SSL Certificate without host name in it
- Java - is it possible to verify a particular "hardcoded" self-signed certificate by fingerprint, and ignore hostname matches?