Highlighted
JeffAyers
1 Nickel

Self-Signed Certificate

Jump to solution

In our QA environment, we are using a self signed certificate for an API Proxy that fronts Atmos. I am using the Atmos-Java component and would like to way to ignore the following error:  javax.net.ssl.SSLException: hostname in certificate didn't match: <hostname>...  Is there a way programatically to ignore this error for EsuRestApiApache class for non-producation environments? 

For example, I have used the following code successfully to ignore the same problem when using HttpClient.:

protected static class TrustSelfSignedStrategy implements TrustStrategy 

   @Override 

   public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException 

   { 

       return true; 

   } 

protected static ClientConnectionManager enableSelfSignedCerts() throws Exception 

          TrustStrategy trustStrategy = new TrustSelfSignedStrategy(); 

          X509HostnameVerifier hostnameVerifier = new AllowAllHostnameVerifier(); 

          SSLSocketFactory sslSf = new SSLSocketFactory(trustStrategy, hostnameVerifier); 

          Scheme https = new Scheme("https", 443, sslSf); 

          SchemeRegistry schemeRegistry = new SchemeRegistry(); 

          schemeRegistry.register(https); 

          ClientConnectionManager connection = new PoolingClientConnectionManager(schemeRegistry); 

          return connection; 

}

public static void main(String[] args) {

    try{

        HttpHost targetHost = new HttpHost("hostname", 8443, "https");

        DefaultHttpClient httpclient = new DefaultHttpClient(enableSelfSignedCerts());

         // ...

    } catch (Exception e) {

        e.printStackTrace();

    }

}

Sincerely,

Jeff

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
8 Krypton

Re: Self-Signed Certificate

Jump to solution

Out of the box there is not an easy way to disable certificate validation when using the Apache client.  You have three options:

1) Add your self-signed certificate(s) to the default java keystore.

http://www.chrissearle.org/node/260

2) Modify EsuRestApiApache with getClient/setClient.  You could then configure your own HttpClient instance with your custom socket factory.

3) Use the non-apache EsuRestApi, then use the code from the last comment on this page: http://code.google.com/p/atmos-java/wiki/SSL

0 Kudos
2 Replies
8 Krypton

Re: Self-Signed Certificate

Jump to solution

Out of the box there is not an easy way to disable certificate validation when using the Apache client.  You have three options:

1) Add your self-signed certificate(s) to the default java keystore.

http://www.chrissearle.org/node/260

2) Modify EsuRestApiApache with getClient/setClient.  You could then configure your own HttpClient instance with your custom socket factory.

3) Use the non-apache EsuRestApi, then use the code from the last comment on this page: http://code.google.com/p/atmos-java/wiki/SSL

0 Kudos
JeffAyers
1 Nickel

Re: Self-Signed Certificate

Jump to solution

Number 3 worked for me.  Thanks again.

0 Kudos