Talking over SSL from Java
For the first time in this blog, I’m pleased to present to you a
guest post from my good friend, Jeff Scanlon:
Talking over SSL from Java
————————–When using SSLFactory to talk SSL with a server, or using
the URL class to open an https connection, an error you
might encounter is:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
One solution that worked for me is to add the server certificate
to the cacerts file in the appropriate Java runtime.
Steps:
- You must have the server certificate. If you don’t have this
handy, navigate to the secure website, click on the lock icon
(in Internet Explorer). Click on “Details” tab and then click
the “Copy to File…” button. Export the certificate to a DER
encoded binary X.509 (.CER) file. Let’s say you chose the
filename example.cer - Copy example.cer to the jre/lib/security directory in the Java
runtime you are using. If you’re on Windows and the JDK/JRE
is in C:\jdk1.5.0_04, then the full path is:
C:\jdk1.5.0_04\jre\lib\security - Import the certificate into the cacerts file by using the
following command [editor’s note: this is all one command, broken
into multiple lines for blogging]:
keytool -import -storepass changeit -file
example.cer -keystore cacerts
-alias example
‘changeit’ is the default password to the cacerts keystore
‘example.cer’ is the filename you used in step #1
‘example’ is an arbitrary alias you choose for the certificate - Now try your code and see if it can establish the SSL
connection. If you get an error like ‘HTTPS hostname
wrong: should be ____’, then add this code:
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession; // ————————————————-HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String hostName,
SSLSession session)
{
System.out.println(
“hostName is [” + hostName +
“] and session peer host is [” +
session.getPeerHost() + “]”);
return(true);
}
};HttpsURLConnection.setDefaultHostnameVerifier(hv);
The above code provides a hostname verifier replacement that
will cause hostname verification to succeed (by always
returning true). Be aware that using this code does have
security implications. However, this simplistic verify
replacement should solve SSL communication problems and
provide a starting point for implementing a custom verify
that maintains security.
Jeff has been a good friend of mine for about 16 years, now.
He has been published several times (such as here,
here, and here), and is usually the first person I turn
to for ideas/advice on any programming/computer-related topic. He will definitely be contributing to this blog again in the future.
subscribe to entries feed
Leave a Reply