Rectangle 27 0

I don't see what you're doing wrong, but you might want to try the procedure described here. See also this JavaMail FAQ entry with more advice.

InstallCert with argument myhost.com:993 helped. I have used wrong certificate before.

Java mail with SSL - PKIX path validation failed - Stack Overflow

java ssl javamail email-integration
Rectangle 27 0

As I think there are two causes of this exception.

  • The root certificate is not trusted in the Java keystore.
  • The intermediate certificates needed are not present or wrong. All certificates in the path should be sent from the web server to the client.

yep, these was my first thoughts too. But why sometimes the certificate was validated successfully and sometimes not ... without any change ?

according to Qualys SSL Labs, the order of the certificates are incorrect. May this be the reason ?

java - Unstable SSL certificate path validation under OpenJDK - Stack ...

java ssl ssl-certificate openjdk
Rectangle 27 0

Don't bother disabling it in your code, you can just add the certificate to your testing machines truststore and be 100% sure you don't ship a build with the check disabled.

@JuryA Why? Why would you ever want to write code that is conditionally insecure? Don't do this.

I have to do that too because it's software I'm writing for several clients that will connect to their own servers with all different certificates. I don't really care about the certificate because the link is entirely trusted.

Both sides of this argument are actually right - while it's right to ensure that the certificates are valid, the developers will have to manage certificates continuously - simple if it's only a couple, but what happens when it proliferates? What happens when 2-way SSL comes into play? Client certificates have to be installed on servers too... this can get out of hand. On the flip side, if there is an integration environment which has genuine certificates deployed and there is automated testing against new deployments, then everyone is a winner.

ssl - How to disable certificate validation in java - Stack Overflow

java ssl network-programming certificate ssl-certificate
Rectangle 27 0

As mentioned by others, the error 401 means that you really established the SSL connection, sent your request and were served back this 401 error. So your SSL code is fine.

When you open this page in the browser, are you getting a username/password prompt ? Maybe auto-login ? If this is the case, I would say that your code is missing this basic authentication or similar.

ssl - How to disable certificate validation in java - Stack Overflow

java ssl network-programming certificate ssl-certificate
Rectangle 27 0

Certificates are authenticated against a root certification authority, like Verisign or Thawte. Some SSL certificates are provided with a chain of intermediate certificates to validate against, which provide the validation up to one of the top level certificates. In a case like this then you need to locally import the intermediate certificates as well as the pages certificate. These need to be imported into the local cacerts file. It is the cacerts file under Java, not sure where that will be on Android, but I have seen it linked on here previously.

Actually my server is using trusted certificate. Is it necessary to create and import SSL certificate on Keystore for simply accessing a url? I am totally new to this topic. Please tell me how to create this subject....

Where should I get this SSL certificate? I am totally confused how to do these thing? Can u suggest a good tutorial which exaplain A-Z steps for making an Https connection?

Browse the https URL. Click on the padlock (in IE8). Click View Certificates on the Website Identification popup. Click the Details tab. Click the Copy to File button. I normally save the file as a DER, but YMMV. Import the saved file into your keystore. HTH.

Sign up for our newsletter and get our top new questions delivered to your inbox (see an example).

android - Why we are getting the exception 'javax.net.ssl.SSLException...

android exception https
Rectangle 27 0

Extended validation is mostly useful from a user-interface perspective. It's not so useful if your client doesn't have anything in its user interface to display the certificate. These verifications are not integrated by default in the JSSE, possibly because there is little demand for it (lack of Java browsers). (By the way, you should verify the certificate you get upon connection, not check with a first connection and connect with another, just in case).

The specifications are defined by the CA/browser forum.

security/certverifier/ExtendedValidation.cpp
security/manager/ssl/src/nsIdentityChecking.cpp
X509Certificate.getExtensionValue()

One problem you will have to watch out for is that the hard-coded SHA-1 fingerprints of the root CA certificates need to match exactly those certificates in the trust store. Some CAs renew their CA certificates once in a while in the bundles that are shipped with most browsers/OS/JREs: make sure you're using the same.

java - Validate Extended Validation(EV) of SSL certificate using JSSE ...

java ssl certificate jsse
Rectangle 27 0

Well, Thanks to Darren Hauge for providing a tricky solution that will not care about ssl certificate. Rewriting the solution here :

public static void trustSelfSignedSSL() {
try {
    SSLContext ctx = SSLContext.getInstance("TLS");
    X509TrustManager tm = new X509TrustManager() {

        public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };
    ctx.init(null, new TrustManager[]{tm}, null);
    SSLContext.setDefault(ctx);
} catch (Exception ex) {
    ex.printStackTrace();
}

All we need to create a utility class and put this method inside that. Call this method wherever you need.

java - Disabling SSL Certificate Validation for Active Directory serve...

java ssl active-directory ldap
Rectangle 27 0

String base64Creds = "Basic " + new String( encodedAuth );

with

String base64Creds = new String( encodedAuth ); //"Basic " String duplicated

java - Exception unable to validate certificate of the target in sprin...

java spring validation spring-mvc ssl
Rectangle 27 0

When a Java application connects to an SSL host it MUST be able to validate its signer. but for doing self certificate it may face problem for you. In case for validation use the SSLPoke class as i suggest. And if you cannot making a simple SSL socket connection for your server in a few lines of java then i will suggest you to use Paid-for certificate . Who's CA chain is probably validatable via the existing JRE certificate cacerts file.

iis - URL rewriting is not working in HTTPS - Stack Overflow

iis https
Rectangle 27 0

Though, if they are what I think they could be, I'm not sure whether my application ever be subject to them because, my application only uses an SSL connection to obtain data from my website, so users do not tell the application which URLs to visit - if that makes sense...

If you connect to a server via SSL and you don't do any authentication, effectively you are have no security. You have no idea who is the endpoint you are talking to.

The fact that the user does not type in a URL, but the URL is a hardcoded URL to your site is irrelevant. A simple proxy that forwards the data from your client to the server can steal all your client's data since there is no kind of authentication (this is the Man in the Middle Attack).

I would suggest you put the code you are using to load the keystore so that you get help on that. Otherwise, if you don't have any requirements on security and you don't have any sensitive data you should go for plain connection (i.e. non-SSL) so that your performance does not deteriorate due to the unecessary (in your case) SSL overhead

With un-authenticated SSL you have security against passive eavesdroppers, but not against any active attacker (who can pretend to be something else). Alas, the principal threat to most secure communications is active attackers (e.g., proxies of various kinds).

security - The danger of disabling certificate validation in Java - St...

java security validation ssl certificate
Rectangle 27 0

If the request is forbidden while you use HTTPS URL connection, then check if the SSL validation has passed. In java, you can bypass this SSL validation HttpsURLConnection with

TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager()
    {
        @Override
        public java.security.cert.X509Certificate[] getAcceptedIssuers()
        {
            return null;
        }

        @Override
        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
        {
        }

        @Override
        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
        {
        }
    } };

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

rest - Weird HTTP 403 error using Java - Stack Overflow

java rest jersey
Rectangle 27 0

This won't fix the problem. The 401 was transmitted over HTTPS and SSL, so the certificates are working perfectly.

In any case I strongly recommend you don't do this. You don't want different code executing in test and production. There is a strong risk the test code will leak into production and compromise security. And there is no point in testing insecure code.

ssl - How to disable certificate validation in java - Stack Overflow

java ssl network-programming certificate ssl-certificate
Rectangle 27 0

There is in fact nothing wrong with the code above. The problem seems to lie with Weblogic and this Certicom TLS module. When I look at the server options, SSL and Advanced I see that I can specify a custom HostnameVerifier (SSLMBean.HostnameVerifier) but the only element suggesting the ability to interfere with Certificate validation is deprecated.

I tried the above code outside of Weblogic and it worked beautifully (fixed the HostnameVerifier in the post though).

Then I tried to add "-DUseSunHttpHandler=true" to the Weblogic parameters as suggested by ipolevoy in this other question. It started working.

That being said, switching the HTTP handler on an Oracle Service Bus server seems a bit risky. There might well be side-effects that come back to bite me in a few weeks time...

I also attempted to define my own trustStore and point it to a jssecacert that contained the required key. It was also ignored by Weblogic because it has its own setting of the trustStore for each server. So I'm resorting to ask the administrator to manually import the required keys or point Weblogic to my own store.

By the way, I just discovered the HostnameVerifier could not be customized either and is failing with "javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from intranet.company.com - x.x.x.x failed hostname verification check. Certificate contained *.company.com but check expected intranet.company.com". Weblogic, I hate you. I really do.

Ignoring SSL validation in Java - Stack Overflow

java ssl weblogic
Rectangle 27 0

Actually, this is a know bug in Weblogic versions below 10.3.5, for which there is a patch available from Oracle. Please see document 1474989.1 in My Oracle Support for details.

The fix above is a non-recommended (but supported) workaround by Oracle, which will work, but is not the preferred solution.

The preferred solution is to download the patch mentioned in the Oracle article, and replace the SSL hostname verifier with the new one which is also part of Weblogic 10.3.5 and above. If you wish to remain compliant with Oracle in terms of support, this is the way to go.

Ignoring SSL validation in Java - Stack Overflow

java ssl weblogic
Rectangle 27 0

As this is test code I would suggest you just throw it away. You don't want insecure code leaking into production. You don't even want it present in the application.

Re-enable SSL validation in Java (Android) - Stack Overflow

java android ssl httpsurlconnection
Rectangle 27 0

The problem you are facing is that your application cannot validate the external server you are trying to connect to as its certificate is not trusted.

What happening in short is:

  • your application tries to connect to the a Jira instance over a secure (HTTPS) channel
  • to establish the secure connection the application downloads the certificate
  • the application checks the validity of the certificate by trying to trace it back to a known CA (kept in the JRE cert-store)
  • certificate check fails because the cert is self-signed (most likely) or expired, etc.

If this Jira instance is on-premise (hosted by your company) then having a self-signed certificate is not at all unlikely. In this case the certificate is not issued by a known CA, so if you wish to trust it, you need to manually register it.

openssl s_client -connect jira.example.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
$JAVA_HOME/keytool -import -alias <server_name> -keystore $JAVA_HOME/lib/security/cacerts -file public.crt

Note: the commands above are for Unix environment. Under Windows I would suggest using similarly openssl from command line, but there are also GUI tools available for the same purpose.

After you got the cert file, you just need to import it into the keystore which is being used by your application. Find the Java installation you use, then go to: JAVA_DIR/lib/security/cacerts .

i have included the certificate and tried to authenticate but i am not able to authenticate getting 401 status see stackoverflow.com/questions/32064672/

Status 401 is a different problem. Getting that means that your app-level authentication has failed,but it also means that the HTTPS handshake was successful, so the problem in this particular post is solved.

Yeah i know i am asking if you can solve that problem

java - Exception unable to validate certificate of the target in sprin...

java spring validation spring-mvc ssl
Rectangle 27 0

Extended validation is mostly useful from a user-interface perspective. It's not so useful if your client doesn't have anything in its user interface to display the certificate. These verifications are not integrated by default in the JSSE, possibly because there is little demand for it (lack of Java browsers). (By the way, you should verify the certificate you get upon connection, not check with a first connection and connect with another, just in case).

The specifications are defined by the CA/browser forum.

security/certverifier/ExtendedValidation.cpp
security/manager/ssl/src/nsIdentityChecking.cpp
X509Certificate.getExtensionValue()

One problem you will have to watch out for is that the hard-coded SHA-1 fingerprints of the root CA certificates need to match exactly those certificates in the trust store. Some CAs renew their CA certificates once in a while in the bundles that are shipped with most browsers/OS/JREs: make sure you're using the same.

java - Validate Extended Validation(EV) of SSL certificate using JSSE ...

java ssl certificate jsse
Rectangle 27 0

Here's, an attack scenario. Other's might want to contribute some more.

Your application accesses a URL. At some point along the way (any intermediate network hop), an attacker could position himself as a "man-in-the-middle", that is, he would pretend to be a "proxy" for your communication, being able to read everything that goes through, and even modifying it on the way: the attacker could act on behalf of the user, mislead him as to what information he gets, and basically access al data being transferred.

Enter SSL: your client receives a certificate from the server, with a valid key (Signed by a known certification authority, or present in your keystore). The server will then sign and encrypt all it sends using that key. If an attacker where to place himself in the middle, he would not be able to read the data (it's encrypted) or modify it (it's signed, and modification would break the signature). He could still block communications altogether, but that's another story.

So that's that... if you ignore your keystore, you can't verify any server side certificate, and you open the door to man-in-the-middle attacks.

Thank you Miguel and user384706, both you answers were helpful and I am now able to conclude that I need the keystore. If I do manage to place the keystore inside of the JAR file though, will it ever need updating? I only ask because I know that SSL Certificates need renewing, but I don't know if renewing them will effect the information in the keystore...

@Andy: You will have to update it if the service provider's public key changes, this depends on your key provider's policies. You should be prepared for this... at least discuss it with the provider.

@home okay, but otherwise I shouldn't need to, yes?

@Andy: it depends, in general public keys have an expiration date. If you open the certificate (public key) you should be able to see that value.

security - The danger of disabling certificate validation in Java - St...

java security validation ssl certificate
Rectangle 27 0

The "fix" and the exception appear unrelated: The fix disables verification of the server's certificate by the client while the exception indicates that the server deemed the client not authorized to access that URL.

But when I add the URL to my browser I can access it. The only thing is that Firefox warns me against the self signed certificate.

Then I'd inspect the http request firefox sends (for instance with firebug's network tab) to spot the difference (a cookie? the user-agent header? a different http-proxy? ...?).

ssl - How to disable certificate validation in java - Stack Overflow

java ssl network-programming certificate ssl-certificate
Rectangle 27 0

The cause of the error is that Java cannot confirm the validity of the certificate. This can be fixed by importing the certificate into the JAVA certificate storage, or "fixed" by disabling SSL certificate validation.

How to save the file from HTTPS url in JAVA? - Stack Overflow

java https httpurlconnection outputstream filepicker.io