I am writing a Java proxy which communicates to other servers using SSL.
It all works well using ServerSocketFactory along with keystore and trustore which is populated with the server cert.
I wonder, is there a way in Java 7 to disable the certification and trust all servers? (and yes I know this is risky - bu the proxy is for internal use only)
I have seen some examples of implementing TrustManager using X509TrustManager implementation, although apparently Java 7 does not support these contracts and X509TrustManager itself has been deprecated.
Appreciate your advise and any code sample on Java 7 that works.
MITM proxy servers (i.e. servers capable of looking into SSL/TLS traffic) normally use their own CA to generate fake certificates for the requested site.
Install this CA certificate in your client's trust store instead of tweaking the code. This is a much cleaner solution, and in the long run, it's easier to deploy.
(For a more direct answer to your question, the countless example of trust managers that do nothing still work fine in Java 7.)
What I did was implementing a java.security.Provider using the code mentioned in this post
https://code.google.com/p/misc-utils/wiki/JavaHttpsUrl
Note: it is the second solution offered.
This post does not mention that you should also add a keystore in-order to make things work.
So, these VM argument should be set as well (Unless so you will get an error message of "no cipher suites in common"):
-Djavax.net.ssl.keyStore=KEYSTORE LOCATION
-Djavax.net.ssl.keyStorePassword=YOUR PASS
I hope this will help you, since in all the places I looked at this part was not mentioned.
Related
I need to add a trusted cert to the cacerts that come with the JRE, but I do not have control or ownership over my customer's JRE installation. Is there a way to do this through the security APIs other than to assume a file path location for the cacerts file and read it into a custom TrustManager?
I don't recommend setting a trust store globally for the JVM, unless you are running a standalone java application. Typically you can configure the SSLContext with the needed trust material supporting the certificates you need.
However, be aware that SSL in Java is one of the more annoying parts, because the smallest configuration error can give you some really strange error messages.
Previously I have had success implementing two-way SSL authentication (public or privately signed certs) using not-yet-commons-ssl, and although the library is a bit old, it is easier to use than raw Java, especially if you have to support multiple JVM versions.
You can use your own trust store and define it in JVM -D parameters for SSL.
That I always do in exact same corporate environment I have.
So, I have been using the Java Websockets API to create a WebSocket server in Java, which worked just fine, until I realized I should be using an SSL encrypted connection using "wss:myurl.tld". Basically, the API wants an SSLContext object to work with SSL, but I can't for the life of me figure out how to make one of those.
I looked at some examples and found out that if I could make a Java KeyStore file with a certificate I could make it work, so I tried to do that.
I started fiddling around with trying to get a "Let's Encrypt" certificate following these instructions but I ran into to some problems.
I run windows and I could find no software using the Let's Encrypt system that worked the same as in the instructions, and homebrew on my mac machine is broken, and it's running a too old OS to update.
Being rather inexperienced with SSL I had no real idea what to put in as parameters.
So, in short, how do I make my Java Websocket server use a secure SSL connection?
Oh, and pardon my messy English and lack of question-writing skills, I'm a bit new to these sorts of things.
Don't be surprised but my question is not about something not working: why the .Net WebClient is able to use HTTPS out-of-the-box without any configuration?
I wouldn't ask if I had not some serious reasons to think it should not be the case: indeed I've used the Apache HttpClient to do the exact same operation, a POST through HTTPS, but it complained.
What bothered the HttpClient was the fact the server TLS certificate was not known.
It's a legitimate complaint so I've added the certificate to the JRE certificates store I was using and after that all worked as expected.
First could you remove an horrible doubt: WebClient is correctly using HTTPS and if I try to connect to "https://downloadspywaresandmalwares.com" it should reject me with something like "are you crazy dude, this is not a trusted location!"?
So I guess this has to do with the diverging security policies of .Net and Java: maybe Java is bundled with its own set of certificates and authorities whereas .Net is more integrated with the OS which may have a bigger set of trusted certificates.
So how could I check all these assumptions?
If it can have any importance: I've used the web-site from Chrome but never from IE so WebClient is not using IE configuration.
Thanks for any input. :)
Ok I think I've finally got it:
as I suspected .Net does not have its own certificates store but uses the OS store
I've managed to find and delete the certificate but this is not easy because Windows is fighting to maintain some certificates in its store
once deleted, as expected, the WebClient is broken and complains because it "Could not establish trust relationship for the SSL/TLS secure channel"
so yes the WebClient uses correctly SSL, that's a relief :)
Hopefully this information will be useful for somebody else...
I'm currently investigating for a client a solution where he wants to send and receive files using sftp in Domino.
I have looked on the net for API's covering this and found one recommended more than others; JSch.
One reason for choosing this API is for its use by others including Eclipse.
What I'd like to know is:
if there're any obsticales using this Library? If so, can you recommend any other?
are there any other caveats using sftp in Domino Java?
does Domino JVM support JavaTM Cryptography Extension (JCE)?
can we use Dominos self-signed certificates here, with Dominos CA?
/Mike
1) Sending. This should work, but you will probably have to deal with the JVM's Security Manager ("/jvm/lib/security/java.policy") of Domino to get a socket, ...
2) Receiving: You probably don't want to implement a SSH server inside domino. It's much easier and more secure to use the SSH server of the host and periodicaly scoop up the inbound files via an Agent.
Dominos Self Signed SSL certificates have nothing to do with SSH as implemented by JSch.
3) The Domino JVm will probably support theJavaTM Cryptography Extension (JCE). Watch out for the supported JRE versions of Domino.
4) Generally: Are you sure, you want to implement it that way? Probably way easier are either WebServices or a REST-API, both via SSL/TLS and optionally facilitating client certificates.
I am porting a ssl related project from c with openssl to java. In c part, we use openssl and set the engine as we designed ourselves. We use ENGINE_set_RSA() to set the rsa_priv_enc method which will use in the ssl handshake. Here is the problem, I want to find a class or method that can do the same thing in java, but nothing related was found. Maybe it is because English is not my local language and cannot use the exactly key word.
I had a similar problem sometime ago. Take a look to:
Client connecting to an SSL server with Self-Signed Certificates
I think it will help you.