Before all : if you don't know the exact answer so just give me advice how to check. Thanks
I have alreary tried a lot of different way how to implement ssl to my volley request but without success.
I can not understand way I get this error
ResponseJsonString = <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>
So step by step my code implementation
This is how I get the volley queue
mRequestQueue = Volley.newRequestQueue(this, new SslHurlStuck(SslUtils.KEYSTORE, SslUtils.PASSWORD_SSL, this));
there is my SslHurlStuck
package utils.ssl;
import android.content.Context;
import android.util.Log;
import com.android.volley.toolbox.HurlStack;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
import utils.global.AppUtils;
public class SslHurlStuck extends HurlStack
{
private final static String TAG = SslHurlStuck.class.getSimpleName();
private String mTrustStoreAssetName;
private String mTrustStorePassword;
private Context mContext;
public SslHurlStuck(final String iTrustStoreAssetName, final String iTrustStorePassword, Context iContext)
{
super();
mTrustStoreAssetName = iTrustStoreAssetName;
mTrustStorePassword = iTrustStorePassword;
mContext = iContext;
}
#Override
protected HttpURLConnection createConnection(URL url) throws IOException
{
HttpsURLConnection urlConnection = null;
try
{
urlConnection = new PinnedCertificateHttpsURLConnectionFactory(mContext).createHttpsURLConnection(url.toString(), mTrustStoreAssetName, mTrustStorePassword);
}
catch (Throwable iThrowable)
{
AppUtils.printLog(Log.ERROR, TAG, iThrowable.getMessage());
}
return urlConnection;
}
}
And eventually there is my PinnedCertificateHttpsURLConnectionFactory
package utils.ssl;
import android.content.Context;
import android.util.Log;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import utils.global.AppUtils;
import webServices.global.RequestStringBuilder;
public class PinnedCertificateHttpsURLConnectionFactory
{
private final static String TAG = PinnedCertificateHttpsURLConnectionFactory.class.getSimpleName();
private final Context mContext;
public PinnedCertificateHttpsURLConnectionFactory(Context iContext)
{
mContext = iContext;
}
HttpsURLConnection createHttpsURLConnection(String urlString, final String iTrustStoreAssetName, final String iTrustStorePassword) throws Throwable
{
// Initialize the trust manager factory instance with our trust store
// as source of certificate authorities and trust material.
KeyStore trustStore = new TrustStoreFactory(iTrustStoreAssetName, iTrustStorePassword, mContext).createTrustStore();
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(tmfAlgorithm);
trustManagerFactory.init(trustStore);
// Initialize the SSL context.
TrustManager[] wrappedTrustManagers = getWrappedTrustManagers(trustManagerFactory.getTrustManagers());
SSLContext sslContext = SSLContext.getInstance(SslUtils.PROTOCOL_TLS);
sslContext.init(null, wrappedTrustManagers, null);
// Create the https URL connection.
URL url = new URL(urlString);
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
urlConnection.setHostnameVerifier(getHostnameVerifier());
return urlConnection;
}
// Let's assume your server app is hosting inside a server machine
// which has a server certificate in which "Issued to" is "localhost",for example.
// Then, inside verify method you can verify "localhost".
// If not, you can temporarily return true
private HostnameVerifier getHostnameVerifier()
{
return new HostnameVerifier()
{
#Override
public boolean verify(String hostname, SSLSession session)
{
HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
String localHost = SslUtils.SSL_LOCAL_HOST_DEV;
if (RequestStringBuilder.isEnvironmentProd())
{
localHost = SslUtils.SSL_LOCAL_HOST_PROD;
}
return hv.verify(localHost, session);
// return hv.verify("localhost", session);
// return true;
}
};
}
private TrustManager[] getWrappedTrustManagers(TrustManager[] trustManagers)
{
final X509TrustManager originalTrustManager = (X509TrustManager) trustManagers[0];
final X509TrustManager x509TrustManager = new X509TrustManager()
{
public X509Certificate[] getAcceptedIssuers()
{
return originalTrustManager.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] certs, String authType)
{
try
{
if (certs != null && certs.length > 0)
{
for (X509Certificate cer : certs)
{
cer.checkValidity();
}
}
else
{
originalTrustManager.checkClientTrusted(certs, authType);
}
}
catch (CertificateException e)
{
AppUtils.printLog(Log.ERROR, TAG, "checkClientTrusted" + e.toString());
}
}
public void checkServerTrusted(X509Certificate[] certs, String authType)
{
try
{
if (certs != null && certs.length > 0)
{
for (X509Certificate cer : certs)
{
cer.checkValidity();
}
}
else
{
originalTrustManager.checkServerTrusted(certs, authType);
}
}
catch (CertificateException e)
{
AppUtils.printLog(Log.ERROR, TAG, "checkServerTrusted" + e.toString());
}
}
};
return new TrustManager[] {x509TrustManager};
}
}
And last one TrustStoreFactory
public class TrustStoreFactory
{
private String mTrustStoreAssetName;
private String mTrustStorePassword;
private Context mContext;
public TrustStoreFactory(final String iTrustStoreAssetName, final String iTrustStorePassword, final Context iContext)
{
mTrustStoreAssetName = iTrustStoreAssetName;
mTrustStorePassword = iTrustStorePassword;
mContext = iContext;
}
KeyStore createTrustStore() throws Throwable
{
// Retrieve the trust store file from the assets.
InputStream inputStream = mContext.getAssets().open(mTrustStoreAssetName);
try
{
// Create a key store with the retrieved input stream.
KeyStore trustStore = KeyStore.getInstance(SslUtils.KEYSTORE_EXTENSION_BKS);
trustStore.load(inputStream, mTrustStorePassword.toCharArray());
return trustStore;
}
finally
{
inputStream.close();
}
}
}
So, question is , what am I doing wrong?
My keystore consist 2 cer files, I tried different combinations to add the cer to the keystore... but nothing was changed.
Actually I don't think that there is a problems with a code, I think some issue with certificates , but I can not understand what exactly, and how to fix it
And also what is intresting that in iOS the same ssl checking work in another way, we just need to get certificate from response and then getPublicKey() on it, and compare if public key from response certificate equal to certificate public key that consist within app... But in android it is much more difficult...
Feel free to ask
So eventyally in my case, I don't know why , but I just deleted Content-type header with the value from the response, and all is ok.
My answer was found here
Android Volley gives me 400 error
The Content-Type header is not treated the same way as other headers by Volley. In particular, overriding getHeaders() to change the content type does not always work. Check this ans for more information
Try this
headers.put("Content-Type", "application/json");
Related
It seems that Java 6 supports TLS up to v1.0, is there any way to use TLS 1.2 in Java 6?
Maybe a patch or a particular update of Java 6 will have support for it?
After a few hours of playing with the Oracle JDK 1.6, I was able to make it work without any code change. The magic is done by Bouncy Castle to handle SSL and allow JDK 1.6 to run with TLSv1.2 by default. In theory, it could also be applied to older Java versions with eventual adjustments.
Download the latest Java 1.6 version from the Java Archive Oracle website
Uncompress it on your preferred path and set your JAVA_HOME environment variable
Update the JDK with the latest Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6
Download the Bounce Castle jar files bcprov-jdk15to18-1.71.jar and bctls-jdk15to18-1.71.jar and copy them into your ${JAVA_HOME}/jre/lib/ext folder
Modify the file ${JAVA_HOME}/jre/lib/security/java.security commenting out the providers section and adding some extra lines
# Original security providers (just comment it)
# security.provider.1=sun.security.provider.Sun
# security.provider.2=sun.security.rsa.SunRsaSign
# security.provider.3=com.sun.net.ssl.internal.ssl.Provider
# security.provider.4=com.sun.crypto.provider.SunJCE
# security.provider.5=sun.security.jgss.SunProvider
# security.provider.6=com.sun.security.sasl.Provider
# security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
# security.provider.8=sun.security.smartcardio.SunPCSC
# Add the Bouncy Castle security providers with higher priority
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
# Original security providers with different priorities
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
# Here we are changing the default SSLSocketFactory implementation
ssl.SocketFactory.provider=org.bouncycastle.jsse.provider.SSLSocketFactoryImpl
Just to make sure it's working let's make a simple Java program to download files from one URL using https.
import java.io.*;
import java.net.*;
public class DownloadWithHttps {
public static void main(String[] args) {
try {
URL url = new URL(args[0]);
System.out.println("File to Download: " + url);
String filename = url.getFile();
File f = new File(filename);
System.out.println("Output File: " + f.getName());
BufferedInputStream in = new BufferedInputStream(url.openStream());
FileOutputStream fileOutputStream = new FileOutputStream(f.getName());
int bytesRead;
byte dataBuffer[] = new byte[1024];
while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) {
fileOutputStream.write(dataBuffer, 0, bytesRead);
}
fileOutputStream.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
Now, just compile the DownloadWithHttps.java program and execute it with your Java 1.6
${JAVA_HOME}/bin/javac DownloadWithHttps.java
${JAVA_HOME}/bin/java DownloadWithHttps https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.10/commons-lang3-3.10.jar
Important note for Windows users: This solution was tested in a Linux OS, if you are using Windows, please replace the ${JAVA_HOME} by %JAVA_HOME%.
Public Oracle Java 6 releases do not support TLSv1.2. Paid-for releases of Java 6 (post-EOL) might. (UPDATE - TLSv1.1 is available for Java 1.6 from update 111 onwards; source)
Contact Oracle sales.
Other alternatives are:
Use an alternative JCE implementation such as Bouncy Castle. See this answer for details on how to do it. It changes the default SSLSocketFactory implementation, so that your application will use BC transparently. (Other answers show how to use the BC SSLSocketFactory implementation explicitly, but that approach will entail modifying application or library code that that is opening sockets.)
Use an IBM Java 6 ... if available for your platform. According to "IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3566)":
"TLSv1.1 and TLSv1.2 are available only for Java 6 service refresh 10, Java 6.0.1 service refresh 1 (J9 VM2.6), and later releases."
However, I'd advise upgrading to a Java 11 (now). Java 6 was EOL'd in Feb 2013, and continuing to use it is potentially risky. Free Oracle Java 8 is EOL for many use-cases. (Tell or remind the boss / the client. They need to know.)
Java 6, now support TLS 1.2, check out below
http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_121
Here a TLSConnection Factory:
package test.connection;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Hashtable;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.Certificate;
import org.bouncycastle.crypto.tls.CertificateRequest;
import org.bouncycastle.crypto.tls.DefaultTlsClient;
import org.bouncycastle.crypto.tls.ExtensionType;
import org.bouncycastle.crypto.tls.TlsAuthentication;
import org.bouncycastle.crypto.tls.TlsClientProtocol;
import org.bouncycastle.crypto.tls.TlsCredentials;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
/**
* This Class enables TLS V1.2 connection based on BouncyCastle Providers.
* Just to use:
* URL myurl = new URL( "http:// ...URL tha only Works in TLS 1.2);
HttpsURLConnection con = (HttpsURLConnection )myurl.openConnection();
con.setSSLSocketFactory(new TSLSocketConnectionFactory());
* #author AZIMUTS
*
*/
public class TSLSocketConnectionFactory extends SSLSocketFactory {
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Adding Custom BouncyCastleProvider
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
Security.addProvider(new BouncyCastleProvider());
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//HANDSHAKE LISTENER
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
public class TLSHandshakeListener implements HandshakeCompletedListener {
#Override
public void handshakeCompleted(HandshakeCompletedEvent event) {
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//SECURE RANDOM
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
private SecureRandom _secureRandom = new SecureRandom();
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Adding Custom BouncyCastleProvider
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
#Override
public Socket createSocket(Socket socket, final String host, int port, boolean arg3)
throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), _secureRandom);
return _createSSLSocket(host, tlsClientProtocol);
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// SOCKET FACTORY METHODS
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#Override
public String[] getDefaultCipherSuites() {
return null;
}
#Override
public String[] getSupportedCipherSuites(){
return null;
}
#Override
public Socket createSocket(String host, int port) throws IOException,UnknownHostException{
return null;
}
#Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return null;
}
#Override
public Socket createSocket(String host, int port, InetAddress localHost,
int localPort) throws IOException, UnknownHostException {
return null;
}
#Override
public Socket createSocket(InetAddress address, int port,
InetAddress localAddress, int localPort) throws IOException{
return null;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//SOCKET CREATION
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
private SSLSocket _createSSLSocket(final String host , final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
#Override
public InputStream getInputStream() throws IOException {
return tlsClientProtocol.getInputStream();
}
#Override
public OutputStream getOutputStream() throws IOException {
return tlsClientProtocol.getOutputStream();
}
#Override
public synchronized void close() throws IOException {
tlsClientProtocol.close();
}
#Override
public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
#Override
public boolean getEnableSessionCreation() {
return false;
}
#Override
public String[] getEnabledCipherSuites() {
return null;
}
#Override
public String[] getEnabledProtocols() {
// TODO Auto-generated method stub
return null;
}
#Override
public boolean getNeedClientAuth(){
return false;
}
#Override
public SSLSession getSession() {
return new SSLSession() {
#Override
public int getApplicationBufferSize() {
return 0;
}
#Override
public String getCipherSuite() {
throw new UnsupportedOperationException();
}
#Override
public long getCreationTime() {
throw new UnsupportedOperationException();
}
#Override
public byte[] getId() {
throw new UnsupportedOperationException();
}
#Override
public long getLastAccessedTime() {
throw new UnsupportedOperationException();
}
#Override
public java.security.cert.Certificate[] getLocalCertificates() {
throw new UnsupportedOperationException();
}
#Override
public Principal getLocalPrincipal() {
throw new UnsupportedOperationException();
}
#Override
public int getPacketBufferSize() {
throw new UnsupportedOperationException();
}
#Override
public X509Certificate[] getPeerCertificateChain()
throws SSLPeerUnverifiedException {
// TODO Auto-generated method stub
return null;
}
#Override
public java.security.cert.Certificate[] getPeerCertificates()throws SSLPeerUnverifiedException {
return peertCerts;
}
#Override
public String getPeerHost() {
throw new UnsupportedOperationException();
}
#Override
public int getPeerPort() {
return 0;
}
#Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return null;
//throw new UnsupportedOperationException();
}
#Override
public String getProtocol() {
throw new UnsupportedOperationException();
}
#Override
public SSLSessionContext getSessionContext() {
throw new UnsupportedOperationException();
}
#Override
public Object getValue(String arg0) {
throw new UnsupportedOperationException();
}
#Override
public String[] getValueNames() {
throw new UnsupportedOperationException();
}
#Override
public void invalidate() {
throw new UnsupportedOperationException();
}
#Override
public boolean isValid() {
throw new UnsupportedOperationException();
}
#Override
public void putValue(String arg0, Object arg1) {
throw new UnsupportedOperationException();
}
#Override
public void removeValue(String arg0) {
throw new UnsupportedOperationException();
}
};
}
#Override
public String[] getSupportedProtocols() {
return null;
}
#Override
public boolean getUseClientMode() {
return false;
}
#Override
public boolean getWantClientAuth() {
return false;
}
#Override
public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
#Override
public void setEnableSessionCreation(boolean arg0) {
}
#Override
public void setEnabledCipherSuites(String[] arg0) {
}
#Override
public void setEnabledProtocols(String[] arg0) {
}
#Override
public void setNeedClientAuth(boolean arg0) {
}
#Override
public void setUseClientMode(boolean arg0) {
}
#Override
public void setWantClientAuth(boolean arg0) {
}
#Override
public String[] getSupportedCipherSuites() {
return null;
}
#Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
#Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3); // entry size
dos.writeByte(0); // name type = hostname
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
#Override
public TlsAuthentication getAuthentication()
throws IOException {
return new TlsAuthentication() {
#Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
for ( org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
certs.add(cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())));
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (CertificateException e) {
System.out.println( "Failed to cache server certs"+ e);
throw new IOException(e);
}
}
#Override
public TlsCredentials getClientCredentials(CertificateRequest arg0)
throws IOException {
return null;
}
};
}
});
}
};//Socket
}
}
Remember that to prove this is, the best is to test against a website that exposes ONLY TLS 1.2. If the web exposes TLS 1.0, TLS 1.1 depending on the Java implementation will connect using tls 1.0, tls 1.1. Test it against a site that only exposes TLS 1.2. An example can be the NIST secure site https://www.nist.gov
You must create your own SSLSocketFactory based on Bouncy Castle. After to use it, pass to the common HttpsConnextion for using this customized SocketFactory.
1. First : Create a TLSConnectionFactory
Here one tips:
1.1 Extend SSLConnectionFactory
1.2 Override this method :
#Override
public Socket createSocket(Socket socket, final String host, int port, boolean arg3)
This method will call the next internal method,
1.3 Implement an internal method _createSSLSocket(host, tlsClientProtocol);
Here you must create a Socket using TlsClientProtocol . The trick is override ...startHandshake() method calling TlsClientProtocol
private SSLSocket _createSSLSocket(final String host , final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
.... Override and implement SSLSocket methods, particulary:
startHandshake() {
}
}
Important : The full sample how to use TLS Client Protocol is well explained here: Using BouncyCastle for a simple HTTPS query
2. Second : Use this Customized SSLConnextionFactory on common HTTPSConnection.
This is important ! In other samples you can see into the web , u see hard-coded HTTP Commands....so with a customized SSLConnectionFactory u don't need nothing more...
URL myurl = new URL( "http:// ...URL tha only Works in TLS 1.2);
HttpsURLConnection con = (HttpsURLConnection )myurl.openConnection();
con.setSSLSocketFactory(new TSLSocketConnectionFactory());
In case you need to access a specific set of remote services you could use an intermediate reverse-proxy, to perform tls1.2 for you. This would save you from trying to patch or upgrade java1.6.
e.g.
app -> proxy:http(5500)[tls-1.2] -> remote:https(443)
Configuration in its simplest form (one port per service) for apache httpd is:
Listen 127.0.0.1:5000
<VirtualHost *:5500>
SSLProxyEngine On
ProxyPass / https://remote-domain/
ProxyPassReverse / https://remote-domain/
</VirtualHost>
Then instead of accessing https://remote-domain/ you access http://localhost:5500/
Note: In case you cannot change the service-client code/config so that it targets the localhost domain, you can always play with hosts file and translate the the remote domain to the proxy's ip. But this has a catch. The reverse-proxy specifically will need to resolve the same domain to the original service ip. You can achieve this by moving the proxy to a different machine (with no hosts file entry) or by dockerizing it and utilizing the --add-host feature (or extra_hosts in docker-compose ).
I think that the solution of #Azimuts (https://stackoverflow.com/a/33375677/6503697) is for HTTP only connection.
For FTPS connection you can use Bouncy Castle with org.apache.commons.net.ftp.FTPSClient without the need for rewrite FTPS protocol.
I have a program running on JRE 1.6.0_04 and I can not update the JRE.
The program has to connect to an FTPS server that work only with TLS 1.2 (IIS server).
I struggled for days and finally I have understood that there are few versions of bouncy castle library right in my use case: bctls-jdk15on-1.60.jar and bcprov-jdk15on-1.60.jar are ok, but 1.64 versions are not.
The version of apache commons-net is 3.1 .
Following is a small snippet of code that should work:
import java.io.ByteArrayOutputStream;
import java.security.SecureRandom;
import java.security.Security;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.net.ftp.FTP;
import org.apache.commons.net.ftp.FTPReply;
import org.apache.commons.net.ftp.FTPSClient;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.junit.Test;
public class FtpsTest {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
} };
#Test public void test() throws Exception {
Security.insertProviderAt(new BouncyCastleProvider(), 1);
Security.addProvider(new BouncyCastleJsseProvider());
SSLContext sslContext = SSLContext.getInstance("TLS", new BouncyCastleJsseProvider());
sslContext.init(null, trustAllCerts, new SecureRandom());
org.apache.commons.net.ftp.FTPSClient ftpClient = new FTPSClient(sslContext);
ByteArrayOutputStream out = null;
try {
ftpClient.connect("hostaname", 21);
if (!FTPReply.isPositiveCompletion(ftpClient.getReplyCode())) {
String msg = "Il server ftp ha rifiutato la connessione.";
throw new Exception(msg);
}
if (!ftpClient.login("username", "pwd")) {
String msg = "Il server ftp ha rifiutato il login con username: username e pwd: password .";
ftpClient.disconnect();
throw new Exception(msg);
}
ftpClient.enterLocalPassiveMode();
ftpClient.setFileType(FTP.BINARY_FILE_TYPE);
ftpClient.setDataTimeout(60000);
ftpClient.execPBSZ(0); // Set protection buffer size
ftpClient.execPROT("P"); // Set data channel protection to private
int bufSize = 1024 * 1024; // 1MB
ftpClient.setBufferSize(bufSize);
out = new ByteArrayOutputStream(bufSize);
ftpClient.retrieveFile("remoteFileName", out);
out.toByteArray();
}
finally {
if (out != null) {
out.close();
}
ftpClient.disconnect();
}
}
}
I also got a similar error when forced to use TLS1.2 for java 6.
And I handled it thanks to this library:
Clone Source Code:
https://github.com/tobszarny/ssl-provider-jvm16
Add Main Class:
public static void main(String[] args) throws Exception {
try {
String apiUrl = "https://domain/api/query?test=123";
URL myurl = new URL(apiUrl);
HttpsURLConnection con = (HttpsURLConnection) myurl.openConnection();
con.setSSLSocketFactory(new TSLSocketConnectionFactory());
int responseCode = con.getResponseCode();
System.out.println("GET Response Code :: " + responseCode);
} catch (Exception ex) {
ex.printStackTrace();
}
}
another BouncyCastle example. Just using bcprov-jdk15to18, bctls-jdk15to18, bcutil-jdk15to18, did the work for our old 1.6 client application. UPDATE: BC version 1.71
public static void main(String[] args) throws Exception {
//put BC providers in runtime context
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.insertProviderAt(new BouncyCastleProvider(), 1);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);
}
//create an empty trust manager
TrustManager[] trustManager = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
} };
//initialize SSLContext
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustManager, new SecureRandom());
//connect and print data
URL url = new URL("https://stackoverflow.com");
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());
connection.setRequestMethod("GET");
InputStream returnStream = connection.getInputStream();
for (int ch; (ch = returnStream.read()) != -1; ) {
System.out.print((char) ch);
}
returnStream.close();
connection.disconnect();
}
I know how to sign data using a certificate present on system(machine) but the requirement is to sign the data using certi present on browser. Below is the code. If anyone find my code wrong then please let me know because i am not sure regarding its correctness.
PS - This code works.
import java.io.FileInputStream;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
public class class123 {
public static void main(String[] args) {
String input = "shubham";
byte[] signature = createSignature(input.getBytes());
System.out.println(createSignature(input.getBytes()));
verifySignature(input.getBytes(), signature);
}
private static byte[] createSignature(byte[] file) {
byte[] signature = null;
String Password="abc";
try {
java.security.KeyStore keyStoreFile = java.security.KeyStore.getInstance("PKCS12");
keyStoreFile.load(new FileInputStream("D:\\1.p12"), Password.toCharArray()); //address of certificate (pfx file) and corresponding password.
Enumeration<String> aliases = keyStoreFile.aliases();
String alias = aliases.nextElement();
PrivateKey privateKey = (PrivateKey) keyStoreFile.getKey(alias, Password.toCharArray());
Signature dsa = Signature.getInstance("SHA1withRSA");
dsa.initSign(privateKey);
dsa.update(file, 0, file.length);
signature = dsa.sign();
} catch (Exception e) {
e.printStackTrace();
}
return signature;
}
private static void verifySignature(byte[] file, byte[] sign) {
String Password="abc";
try {
java.security.KeyStore keyStoreFile = java.security.KeyStore.getInstance("PKCS12");
keyStoreFile.load(new FileInputStream("D:\\1.p12"), Password.toCharArray());
Enumeration<String> aliases = keyStoreFile.aliases();
String alias = aliases.nextElement();
Signature dsa = Signature.getInstance("SHA1withRSA");
dsa.initVerify(((X509Certificate) keyStoreFile.getCertificate(alias)).getPublicKey());
dsa.update(file);
boolean ret = dsa.verify(sign);
System.out.println(ret);
} catch (Exception e) {
e.printStackTrace();
}
}
}
it's fine, Kindly check this blog post as I wrote it before while accessing the Microsoft Certificate store to sign and verify, it May help you.
import java.io.FileOutputStream;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HttpsURLConnection;
public class CertificateFromBrowser {
public static void main(String[] args) throws Exception {
testConnectionTo(""); // pass the url (eg: https://www.example.com)
}
public static void testConnectionTo(String aURL) throws Exception {
URL destinationURL = new URL(aURL);
HttpsURLConnection conn = (HttpsURLConnection) destinationURL.openConnection();
conn.connect();
Certificate[] certs = conn.getServerCertificates();
System.out.println("nb = " + certs.length);
for (Certificate cert : certs) {
System.out.println("");
System.out.println("");
System.out.println("");
System.out.println("################################################################");
System.out.println("");
System.out.println("");
System.out.println("");
System.out.println("Certificate is: " + cert);
if (cert instanceof X509Certificate) {
try {
((X509Certificate) cert).checkValidity();
System.out.println("Certificate is active for current date");
} catch (CertificateExpiredException cee) {
System.out.println("Certificate is expired");
}
} else {
System.err.println("Unknown certificate type: " + cert);
}
}
}
}
The web service is rest over SSL and it has self signed certificate, hosted in remote system.I have already created a client accessing that web service. This is done by adding the certificate to the key store programatically.
Now I heard that, it is not necessary to add certificate to key store for accesing a self signed web service. Instead we can disable the certificate check by overriding some methods. Is this true? Which are those methods? Please help.
This should be sufficient. I use this when testing code against testing and staging servers where we don't have properly signed certificates. However, you should really really strongly consider getting a valid SSL certificate on your production server. Nobody wants to be wiretapped and have their privacy violated.
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, new TrustManager[] { new TrustAllX509TrustManager() }, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier(){
public boolean verify(String string,SSLSession ssls) {
return true;
}
});
And this.
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
/**
* DO NOT USE IN PRODUCTION!!!!
*
* This class will simply trust everything that comes along.
*
* #author frank
*
*/
public class TrustAllX509TrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
String authType) {
}
}
Best of luck!
===UPDATE===
I just wanted to point out that there's a service called Let's Encrypt which automates the process of generating and setting up SSL/TLS certificates recognised by virtually everybody, and it's absolutely free!
Ignoring certs on a per-connection basis is much safer since any other code will still use the secure defaults.
The following code:
Overrides the trust manager and hostname verifier on a per-connection basis.
Reuses the SSLSocketFactory in order to support persistent connections, bypassing the expensive SSL handshake for repeated requests to the same server.
As others have stated, this should only be used for testing, and/or for internal systems communicating with other internal systems.
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class TestPersistentConnection
{
private static SSLSocketFactory sslSocketFactory = null;
/**
* Use the VM argument <code>-Djavax.net.debug=ssl</code> for SSL specific debugging;
* the SSL handshake will appear a single time when connections are re-used, and multiple
* times when they are not.
*
* Use the VM <code>-Djavax.net.debug=all</code> for all network related debugging, but
* note that it is verbose.
*
* #throws Exception
*/
public static void main(String[] args) throws Exception
{
//URL url = new URL("https://google.com/");
URL url = new URL("https://localhost:8443/");
// Disable first
request(url, false);
// Enable; verifies our previous disable isn't still in effect.
request(url, true);
}
public static void request(URL url, boolean enableCertCheck) throws Exception {
BufferedReader reader = null;
// Repeat several times to check persistence.
System.out.println("Cert checking=["+(enableCertCheck?"enabled":"disabled")+"]");
for (int i = 0; i < 5; ++i) {
try {
HttpURLConnection httpConnection = (HttpsURLConnection) url.openConnection();
// Normally, instanceof would also be used to check the type.
if( ! enableCertCheck ) {
setAcceptAllVerifier((HttpsURLConnection)httpConnection);
}
reader = new BufferedReader(new InputStreamReader(httpConnection.getInputStream()), 1);
char[] buf = new char[1024];
StringBuilder sb = new StringBuilder();
int count = 0;
while( -1 < (count = reader.read(buf)) ) {
sb.append(buf, 0, count);
}
System.out.println(sb.toString());
reader.close();
} catch (IOException ex) {
System.out.println(ex);
if( null != reader ) {
reader.close();
}
}
}
}
/**
* Overrides the SSL TrustManager and HostnameVerifier to allow
* all certs and hostnames.
* WARNING: This should only be used for testing, or in a "safe" (i.e. firewalled)
* environment.
*
* #throws NoSuchAlgorithmException
* #throws KeyManagementException
*/
protected static void setAcceptAllVerifier(HttpsURLConnection connection) throws NoSuchAlgorithmException, KeyManagementException {
// Create the socket factory.
// Reusing the same socket factory allows sockets to be
// reused, supporting persistent connections.
if( null == sslSocketFactory) {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, ALL_TRUSTING_TRUST_MANAGER, new java.security.SecureRandom());
sslSocketFactory = sc.getSocketFactory();
}
connection.setSSLSocketFactory(sslSocketFactory);
// Since we may be using a cert with a different name, we need to ignore
// the hostname as well.
connection.setHostnameVerifier(ALL_TRUSTING_HOSTNAME_VERIFIER);
}
private static final TrustManager[] ALL_TRUSTING_TRUST_MANAGER = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}
};
private static final HostnameVerifier ALL_TRUSTING_HOSTNAME_VERIFIER = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
}
Many thanks to:
http://runtime32.blogspot.com/2008/11/let-java-ssl-trust-all-certificates.html
TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
GetCustomerPhone http = new GetCustomerPhone();
System.out.println("Processing..");
try{
http.sendPost();
}
catch(Exception e){
e.printStackTrace();
}
}
I think it will working fine.because it fine of me...
How do you disable certificate validation in JAX-WS client using javax.xml.ws.Service?
I tried creating an all-trusting TrustManager in the SSLSocketFactory and tried to bind it with BindingProvider
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
Map<String, Object> ctxt = ((BindingProvider) wsport ).getRequestContext();
ctxt.put(JAXWSProperties.SSL_SOCKET_FACTORY, sc.getSocketFactory());
but I still getting Exception: unable to find valid certification path to requested target
But it works when I just use
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
Or is there a way to make javax.xml.ws.Service use the HttpsURLConnection that I created?
I found a solution here:
http://schrepfler.blogspot.com.br/2009/06/relaxing-ssl-validation-for-jaxws.html
I'm using that solution calling the two static methods on a static block at the main class, like this:
static {
SSLUtilities.trustAllHostnames();
SSLUtilities.trustAllHttpsCertificates();
}
Hope this helps
EDIT: As David J. Liszewski pointed out, this breaks SSL/TLS for all connections from this JVM. So, keep that in mind.
The truth can be found from Erik Wramner's blog here http://erikwramner.wordpress.com/2013/03/27/trust-self-signed-ssl-certificates-and-skip-host-name-verification-with-jax-ws
I include the full solution where Apache CXF is used to make SOAP web service requests to a self-signed SharePoint https service:
NaiveSSLHelper.java
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.transport.http.HTTPConduit;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.xml.ws.BindingProvider;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Map;
public class NaiveSSLHelper {
public static void makeWebServiceClientTrustEveryone(
Object webServicePort) {
if (webServicePort instanceof BindingProvider) {
BindingProvider bp = (BindingProvider) webServicePort;
Map requestContext = bp.getRequestContext();
requestContext.put(JAXWS_SSL_SOCKET_FACTORY, getTrustingSSLSocketFactory());
requestContext.put(JAXWS_HOSTNAME_VERIFIER,
new NaiveHostnameVerifier());
} else {
throw new IllegalArgumentException(
"Web service port "
+ webServicePort.getClass().getName()
+ " does not implement "
+ BindingProvider.class.getName());
}
}
public static SSLSocketFactory getTrustingSSLSocketFactory() {
return SSLSocketFactoryHolder.INSTANCE;
}
private static SSLSocketFactory createSSLSocketFactory() {
TrustManager[] trustManagers = new TrustManager[] {
new NaiveTrustManager()
};
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[0], trustManagers,
new SecureRandom());
return sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
return null;
}
}
public static void makeCxfWebServiceClientTrustEveryone(HTTPConduit http) {
TrustManager[] trustManagers = new TrustManager[]{
new NaiveTrustManager()
};
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setSecureSocketProtocol("TLS");
tlsParams.setKeyManagers(new KeyManager[0]);
tlsParams.setTrustManagers(trustManagers);
tlsParams.setDisableCNCheck(true);
http.setTlsClientParameters(tlsParams);
}
private interface SSLSocketFactoryHolder {
SSLSocketFactory INSTANCE = createSSLSocketFactory();
}
private static class NaiveHostnameVerifier implements
HostnameVerifier {
#Override
public boolean verify(String hostName,
SSLSession session) {
return true;
}
}
private static class NaiveTrustManager implements
X509TrustManager {
#Override
public void checkClientTrusted(X509Certificate[] certs,
String authType) throws CertificateException {
}
#Override
public void checkServerTrusted(X509Certificate[] certs,
String authType) throws CertificateException {
}
#Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
private static final java.lang.String JAXWS_HOSTNAME_VERIFIER =
"com.sun.xml.internal.ws.transport.https.client.hostname.verifier";
private static final java.lang.String JAXWS_SSL_SOCKET_FACTORY =
"com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory";
}
SoapTester.java
import crawler.common.sharepoint.stubs.sitedata.ArrayOfSList;
import crawler.common.sharepoint.stubs.sitedata.GetListCollectionResponse;
import crawler.common.sharepoint.stubs.sitedata.SList;
import crawler.common.sharepoint.stubs.sitedata.SiteData;
import crawler.common.sharepoint.stubs.sitedata.SiteDataSoap;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduit;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.apache.cxf.transport.http.auth.SpnegoAuthSupplier;
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
import org.ietf.jgss.GSSName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPMessage;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.Holder;
import javax.xml.ws.Service;
import javax.xml.ws.handler.Handler;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;
import java.io.ByteArrayOutputStream;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
* This example will invoke a web service on SharePoint 2013+ with optional kerberos auth.
*/
public class SoapTester {
private static final Logger LOG = LoggerFactory.getLogger(SoapTester.class);
public static void main(String[] args) {
String endpointAddress = args[0];
String keytabFilePath = args.length > 2 ? args[1] : null;
String principalName = args.length > 2 ? args[2] : null;
String servicePrincipalName = args.length > 3 ? args[3] : null;
if (!endpointAddress.endsWith("/")) {
endpointAddress += "/";
}
endpointAddress += "_vti_bin/SiteData.asmx";
final String endpointAddressFinal = endpointAddress;
Service service = Service.create(SiteData.SERVICE);
SiteDataSoap soap = service.getPort(SiteDataSoap.class);
NaiveSSLHelper.makeWebServiceClientTrustEveryone(soap);
BindingProvider bindingProvider = (BindingProvider) soap;
bindingProvider.getRequestContext().put(AsyncHTTPConduit.USE_ASYNC,
Boolean.TRUE);
bindingProvider.getRequestContext().put(
BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpointAddress);
List<Handler> chain = bindingProvider.getBinding().getHandlerChain();
chain.add(new SOAPHandler<SOAPMessageContext>() {
#Override
public boolean handleMessage(SOAPMessageContext context) {
String endpointAddress = (String) context.get(BindingProvider.ENDPOINT_ADDRESS_PROPERTY);
SOAPMessage msg = context.getMessage();
Boolean outbound = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
try (ByteArrayOutputStream out = new ByteArrayOutputStream()) {
msg.writeTo(out);
String str = new String(out.toByteArray());
LOG.info("Sharepoint xml [" + endpointAddress + "]" + (outbound ? " (Outbound)" : " (Inbound)") + ": " + str);
} catch (Exception e) {
LOG.error("Cannot get soap xml from message ", e);
}
if (outbound.booleanValue()) {
try {
context.getMessage().setProperty(SOAPMessage.CHARACTER_SET_ENCODING, "UTF-8");
} catch (Exception e) {
throw new RuntimeException(e);
}
}
return true;
}
#Override
public boolean handleFault(SOAPMessageContext context) {
return true;
}
#Override
public void close(MessageContext context) {
}
#Override
public Set<QName> getHeaders() {
return null;
}
});
bindingProvider.getBinding().setHandlerChain(chain);
Client client = ClientProxy.getClient(bindingProvider);
client.getEndpoint().put("org.apache.cxf.stax.maxChildElements", System.getProperty("org.apache.cxf.stax.maxChildElements") != null ? System.getProperty("org.apache.cxf.stax.maxChildElements") : "5000000");
HTTPConduit http = (HTTPConduit) client.getConduit();
NaiveSSLHelper.makeCxfWebServiceClientTrustEveryone(http);
AuthorizationPolicy authorization = new AuthorizationPolicy();
authorization.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
http.setAuthorization(authorization);
SpnegoAuthSupplier authSupplier = new SpnegoAuthSupplier();
if (servicePrincipalName != null) {
authSupplier.setServicePrincipalName(servicePrincipalName);
authSupplier.setServiceNameType(GSSName.NT_HOSTBASED_SERVICE);
}
Map<String, String> loginConfig = new HashMap<>();
loginConfig.put("useKeyTab", "true");
loginConfig.put("storeKey", "true");
loginConfig.put("refreshKrb5Config", "true");
loginConfig.put("keyTab", keytabFilePath);
loginConfig.put("principal", principalName);
loginConfig.put("useTicketCache", "true");
loginConfig.put("debug", String.valueOf(true));
authSupplier.setLoginConfig(new Configuration() {
#Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return new AppConfigurationEntry[] {
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
loginConfig)};
}
});
http.setAuthSupplier(authSupplier);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setAutoRedirect(true);
http.setClient(httpClientPolicy);
Holder<ArrayOfSList> vLists = new Holder<>();
Holder<Long> getListCollectionResult = new Holder<>();
soap.getListCollectionAsync(getListCollectionResult, vLists, res -> {
try {
GetListCollectionResponse listCollectionResponse = res.get();
ArrayOfSList arrayOfSList = listCollectionResponse.getVLists();
LOG.info("Successfully got {} lists from {}", arrayOfSList.getSList().size(), endpointAddressFinal);
for (SList slist : arrayOfSList.getSList()) {
LOG.info("Successfully got list {}", slist.getTitle());
}
System.exit(0);
} catch (Exception e) {
LOG.error("List collection response", e);
}
});
}
}
Here is another example with respect to JDK7 and glassfish. Please pay attention for Nikolay Smirnov's comment as well. I use jdk 7 and glassfish 3.1.2. In this environment the suggested solution works perfect if the server deal with a self signed cerfificate.
// import com.sun.xml.ws.developer.JAXWSProperties;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.xml.ws.BindingProvider;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
/**
*
* Usage examples (BindingProvider port):
* NaiveSSLHelper.makeWebServiceClientTrustEveryone(port); // GlassFish
* NaiveSSLHelper.makeCxfWebServiceClientTrustEveryone(port); // TomEE
*
* Based on Erik Wramner's example frome here:
* http://erikwramner.wordpress.com/2013/03/27/trust-self-signed-ssl-certificates-and-skip-host-name-verification-with-jax-ws/
*
* I have extended the functionality when Apache CXF is used.
*/
public class NaiveSSLHelper {
private static final String JAXWS_HOSTNAME_VERIFIER = "com.sun.xml.ws.transport.https.client.hostname.verifier"; // JAXWSProperties.HOSTNAME_VERIFIER;
private static final String JAXWS_SSL_SOCKET_FACTORY = "com.sun.xml.ws.transport.https.client.SSLSocketFactory"; // JAXWSProperties.SSL_SOCKET_FACTORY;
// In Glassfish (Metro) environment you can use this function (Erik Wramner's solution)
public static void makeWebServiceClientTrustEveryone(Object webServicePort) {
if (webServicePort instanceof BindingProvider) {
BindingProvider bp = (BindingProvider) webServicePort;
Map requestContext = bp.getRequestContext();
requestContext.put(JAXWS_SSL_SOCKET_FACTORY, getTrustingSSLSocketFactory());
requestContext.put(JAXWS_HOSTNAME_VERIFIER, new NaiveHostnameVerifier());
} else {
throw new IllegalArgumentException(
"Web service port "
+ webServicePort.getClass().getName()
+ " does not implement "
+ BindingProvider.class.getName());
}
}
// In TomEE (Apache CXF) environment you can use this function (my solution)
public static void makeCxfWebServiceClientTrustEveryone(Object port) {
TrustManager[] trustManagers = new TrustManager[]{
new NaiveTrustManager()
};
Client c = ClientProxy.getClient(port);
HTTPConduit httpConduit = (HTTPConduit) c.getConduit();
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setSecureSocketProtocol("SSL");
tlsParams.setKeyManagers(new KeyManager[0]);
tlsParams.setTrustManagers(trustManagers);
tlsParams.setDisableCNCheck(true);
httpConduit.setTlsClientParameters(tlsParams);
}
public static SSLSocketFactory getTrustingSSLSocketFactory() {
return SSLSocketFactoryHolder.INSTANCE;
}
private static SSLSocketFactory createSSLSocketFactory() {
TrustManager[] trustManagers = new TrustManager[]{
new NaiveTrustManager()
};
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("SSL");
sslContext.init(new KeyManager[0], trustManagers, new SecureRandom());
return sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
return null;
}
}
private static interface SSLSocketFactoryHolder {
public static final SSLSocketFactory INSTANCE = createSSLSocketFactory();
}
private static class NaiveHostnameVerifier implements
HostnameVerifier {
#Override
public boolean verify(String hostName,
SSLSession session) {
return true;
}
}
private static class NaiveTrustManager implements
X509TrustManager {
#Override
public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
String authType) throws java.security.cert.CertificateException {
}
#Override
public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
String authType) throws java.security.cert.CertificateException {
}
#Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
}
}
Putting aside all security issues that come with it, if anyone still want to disable certificate validation in a JAX-WS Client. This is how i do.
NB: And this way, instead of breaking SSL/TLS for ALL connections, you disable certificate validation for THAT client only.
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.jaxws.JaxWsProxyFactoryBean;
import org.apache.cxf.transport.http.HTTPConduit;
/** Custom JAX-WS client factory used to ignore certificate validation */
public class NotSecureClientFactory extends JaxWsProxyFactoryBean {
#Override
protected ClientProxy clientClientProxy(Client c) {
// Create a client factory that does not validate certificate chains
ClientProxy cp = super.clientClientProxy(c);
HTTPConduit httpConduit = (HTTPConduit) cp.getClient().getConduit();
httpConduit.setTlsClientParameters(tlsClientParameters());
return cp;
}
public TLSClientParameters tlsClientParameters() {
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
} };
TLSClientParameters tlsClientParameters = new TLSClientParameters();
tlsClientParameters.setTrustManagers(trustAllCerts);
return tlsClientParameters;
}
}
Actually CXF comes w/ an InsecureTrustManager for testing purpose.
For a Spring Boot app, it would be as easy as the following to disable TLS validation in all your CXF clients. Needless to say, u should NEVER do this in a prod env.
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.cxf.transport.https.InsecureTrustManager;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Configuration;
import javax.inject.Inject;
import javax.xml.ws.BindingProvider;
import java.util.Set;
#ConditionalOnProperty(value = "soap.validate-tls.client", havingValue = "true")
#Configuration
class DisableTlsCxfClientConfig {
#Inject
DisableTlsCxfClientConfig(Set<BindingProvider> soapClients) {
var insecureTlsParam = new TLSClientParameters();
insecureTlsParam.setTrustManagers(InsecureTrustManager.getNoOpX509TrustManagers());
insecureTlsParam.setDisableCNCheck(true);
soapClients.stream()
.map(ClientProxy::getClient)
.map(Client::getConduit)
.map(HTTPConduit.class::cast)
.forEach(c -> c.setTlsClientParameters(insecureTlsParam));
}
}
Shout out to #addiene, #jontro & #Miklos Krivan who provided all the pieces! Thank u very much!
When I run the code below i can access it okay over a browser, but I can't seem to get it to work using curl with this command:
curl -v -s -k "https://localhost:8080"
I am running the following code:
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.simpleframework.http.Request;
import org.simpleframework.http.Response;
import org.simpleframework.http.core.Container;
import org.simpleframework.transport.connect.Connection;
import org.simpleframework.transport.connect.SocketConnection;
/**
* Simple Server SSL Hello World Example.
*
*/
public class SimpleSSLHelloWorld implements Container {
public static int count = 0;
public static String EMTPY_STRING = "";
public static int serverPort;
public static String KEYSTORE_PROPERTY = "javax.net.ssl.keyStore";
public static String KEYSTORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
public static String KEYSTORE_TYPE_PROPERTY = "javax.net.ssl.keyStoreType";
public static String KEYSTORE_ALIAS_PROPERTY = "javax.net.ssl.keyStoreAlias";
public static void main(final String[] args) throws Exception {
SimpleSSLHelloWorld.serverPort = 8080;
// System.setProperty("javax.net.debug", "all");
System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY, "mySrvKeystore");
System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY, "123456");
Container container = new SimpleSSLHelloWorld();
SocketAddress address = new InetSocketAddress(SimpleSSLHelloWorld.serverPort);
SSLContext sslContext = SimpleSSLHelloWorld.createSSLContext();
Connection connectionHttps = new SocketConnection(container);
connectionHttps.connect(address, sslContext);
System.out.println("Simple Server started on port: " + SimpleSSLHelloWorld.serverPort);
}
public void handle(final Request request, final Response response) {
try {
System.out.println("what");
SimpleSSLHelloWorld.logRequest(request);
SimpleSSLHelloWorld.dummyResponse(response);
SimpleSSLHelloWorld.logResponse(response);
} catch (Exception e) {
e.printStackTrace();
}
}
public static SSLContext createSSLContext() throws Exception {
String keyStoreFile = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY);
String keyStorePassword = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY,
SimpleSSLHelloWorld.EMTPY_STRING);
String keyStoreType = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_TYPE_PROPERTY, KeyStore.getDefaultType());
KeyStore keyStore = SimpleSSLHelloWorld.loadKeyStore(keyStoreFile, keyStorePassword, null);
FileInputStream keyStoreFileInpuStream = null;
try {
if (keyStoreFile != null) {
keyStoreFileInpuStream = new FileInputStream(keyStoreFile);
keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(keyStoreFileInpuStream, keyStorePassword.toCharArray());
}
} finally {
if (keyStoreFileInpuStream != null) {
keyStoreFileInpuStream.close();
}
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
SSLContext sslContext = SSLContext.getInstance("SSLv3");
// sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[]{new NaiveX509TrustManager()}, null);
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
return sslContext;
}
public static KeyStore loadKeyStore(final String keyStoreFilePath, final String keyStorePassword,
final String keyStoreType) throws Exception {
KeyStore keyStore = null;
File keyStoreFile = new File(keyStoreFilePath);
if (keyStoreFile.isFile()) {
keyStore = KeyStore.getInstance(keyStoreType != null ? keyStoreType : KeyStore.getDefaultType());
keyStore.load(new FileInputStream(keyStoreFile), keyStorePassword != null ? keyStorePassword
.toCharArray() : SimpleSSLHelloWorld.EMTPY_STRING.toCharArray());
}
return keyStore;
}
public static void logRequest(final Request request) throws IOException {
StringBuilder builder = new StringBuilder();
builder.append(">>> REQUEST\n");
builder.append(request);
builder.append(request.getContent());
System.out.println(builder);
}
public static void logResponse(final Response response) throws IOException {
StringBuilder builder = new StringBuilder();
builder.append("<<< RESPONSE\n");
builder.append(response);
if (response.getContentLength() > 0) {
builder.append("... ").append(response.getContentLength()).append(" bytes ...\n");
}
System.out.println(builder);
}
public static void dummyResponse(final Response response) throws IOException {
PrintStream body = response.getPrintStream();
long time = System.currentTimeMillis();
response.set("Content-Type", "text/plain");
response.set("Server", "SSL HelloWorld/1.0 (Simple 4.0)");
response.setDate("Date", time);
response.setDate("Last-Modified", time);
body.println("Hello World: " + ++SimpleSSLHelloWorld.count);
body.close();
}
}
I'm stumped and not really sure why it doesn't work over curl.