Re: [C3] How to/where to disable certificate check accessing HTTPS

Fri, 10 Sep 2010 11:17:42 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrei,

On 9/10/2010 4:05 AM, Andrei Lunjov wrote:
> Hi Jos,
> 
> I just try to do:
> 
> <map:generate src="https://asite.with.invalid.cert/some/resource"/>
> 
> And sun.net.www.protocol.https.HttpsURLConnectionImpl if I remember
> right throws an exception.
> Cert is invalid, so adding it trust store is questionable.
> I'd like to ignore the cert check at all, something like this:
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
> And it's a big question for me what would be a best way add this
> modification, preferably so I can switch cert check on and off for
> different resources.

The code below will disable SSL checking for /all/ resources, and can
easily be put into a ServletContextListener in order to modify the SSL
cert checking behavior for a webapp at startup (that is, it's relatively
easy to just slap this into an existing Cocoon installation).

    public static void disableSSLCertificateChecking()
        throws NoSuchAlgorithmException, KeyManagementException
    {
        TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(X509Certificate[] certs,
                                               String authType) {
                }
                public void checkServerTrusted(X509Certificate[] certs,
                                               String authType) {
                }
            }
        };

        SSLContext sc = SSLContext.getInstance("SSL");

        sc.init(null, trustAllCerts, new java.security.SecureRandom());


HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    }

As I mentioned, this won't help with the resource-specific connections.

The code above could be adapted to work inside a generator in order to
exempt that single resource from SSL certificate checking. Maybe I'll
take a look at the Cocoon code and propose a patch if it's useful.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyKdiYACgkQ9CaO5/Lv0PAiWQCcCKh0Y03+D8DOhetTpe2Dh/I+
s10Anj8vsvxh9/lzCQTmGimQOU925yhS
=kADE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org

Reply via email to