Re: Handling expired client certificate

Wed, 01 Nov 2006 09:55:35 -0800 

Kews,

Subscriber wrote:
> Hi Hassan,
> 
> Thanks for your answer. Yes, I've already tried your suggestion. Both
> with the java.security.cert.CertificateExpiredException and the
> javax.net.ssl.SSLHandshakeException, but the problem remains. As I can
> see, the exception is thrown somewhere inside Tomcat, before handling
> control to the webapplication. Hence, the exception is not "catchable"
> inside my webapplication, but is to be handled in some other way
> "inside" the Tomcat engine.

What you need to do is override Java's certificate validator. This is
not a Tomcat issue -- you'd have it with any Java-based code that uses
the JRE's SSL libraries.

I'm not sure if Tomcat has a setting for doing this, but you might be
able to do it programmatically.

I have had to deal with this in the past, and I wrote myself a little
readme about it, since it's not worth keeping in my brain. I seem to
have lost it, but I do have some code that will turn off cert validation
for /outgoing/ HttpsURLConnections. You may have to adapt this code to
change the way ServetSockets are handled:

    public static void disableSSLCertificateChecking()
        throws NoSuchAlgorithmException, KeyManagementException
    {
        TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(X509Certificate[] certs,
                                               String authType) {
                }
                public void checkServerTrusted(X509Certificate[] certs,
                                               String authType) {
                }
            }
        };

        SSLContext sc = SSLContext.getInstance("SSL");

        sc.init(null, trustAllCerts, new java.security.SecureRandom());

        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    }


If you'd like, you can implement your own version of checking instead of
disabling validation entirely. This is actually overriding the validator
with one that doesn't do any validation... it's not really disabling it.
You are free to provide your own implementation.

I can't seem to find any relevant methods in SSLServerSocketFactory,
which would be the most likely place to call some kind of
setDefaultSSLSocketFactory method, much like the HttpsURLConnection
method of the same name used above.

Sorry if this leads you down the wrong path!

-chris

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to