Reputation: 13547
SSLSocketFactory in java
What role does SSLSocketFactory class in java play when using HttpsURLConnection? The java docs is not of much help.
Are there any ways to bind the keystore and the truststore to with the sslsocketfactory object, to make it point to the keystore and the truststore?
Otherwise how will the connection know the location of the keystore and the truststore(I don't want to use java System Properties)?
Upvotes: 14
Views: 54062
Answers (1)
Reputation: 2050
It is done through SSLContext. You init one and then use it's socket factory to create HttpsConnection instances.
Here is rough example of how I manage this in my application:
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(myKeyManagerFactory.getKeyManagers(), myTrustManagerArray, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
after that your openConnection() calls for https sites will use the sslsocketfactory you initialized here.
Here code for TrustManager to use in your ssl context wich will trust all certificates:
TrustManager[] myTrustManagerArray = new TrustManager[]{new TrustEveryoneManager()};
class TrustEveryoneManager implements X509TrustManager {
public void checkClientTrusted(X509Certificate[] arg0, String arg1){}
public void checkServerTrusted(X509Certificate[] arg0, String arg1){}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
Upd from Bruno: beware, trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks
Upvotes: 14
Related Questions
- Alternative to sslSocketFactory in Java10
- SSLSocket via another SSLSocket
- SSLServerSocket and certificate setup
- Why does SSLSocketFactory lack setEnabledCipherSuites?
- Where SSLSocketFactory and HttpsURLConnection work diffrerently?
- SSLSocket of HttpsURLConnection
- SSLSocket used ciphersuite
- SSLSocketFactory difference between flavors of createSocket
- How to create custom SSLSocketFactory?
- How is SSLSocket created?