DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22181>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22181 Add option to XmlRpcClient to ignore SSL certificate validation Summary: Add option to XmlRpcClient to ignore SSL certificate validation Product: XML-RPC Version: 1.1 Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Source AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] When using XML-RPC with SSL, and the server is using a self-signed certificate (say on a staging server), the Java net libraries throw an exception. As a suggestion, it should be possible to add a method, something like static setIgnoreSSLCerts(boolean) to XmlRpcClient and XmlRpcClientLite, which will override the TrustManager for the SSL connects. Thus, the user will have the benefit of SSL encryption, without the hassle of having to have that certificate signed by a CA. For example, before connect you can simply: javax.net.ssl.SSLSocketFactory.getDefault(); X509TrustManager tm = new IgnoreSSLCertTrustManager(); KeyManager[] km = null; TrustManager[] tma = {tm}; SSLContext sc = SSLContext.getInstance("SSL"); sc.init( km, tma, new java.security.SecureRandom() ); SSLSocketFactory sf1 = sc.getSocketFactory(); ... then when you get your URLConnection: URLConnection con = target.openConnection(); if ( con instanceof HttpsURLConnection ){ HttpsURLConnection secconn = (HttpsURLConnection)con; secconn.setSSLSocketFactory( sf1 ); } The IgnoreSSLCertTrustManager simply implements X509TrustManager and returns true for both 'isClientTrusted' methods and does nothing for 'checkServerTrusted', then returns null for 'getAcceptedIssuers'. My apologies for not submitting this as a patch, but unfortunately I don't have those tools available to me at present.
