[ http://issues.apache.org/jira/browse/XMLRPC-47?page=comments#action_12383281 ]
Jochen Wiedmann commented on XMLRPC-47: --------------------------------------- I understand the issues value. However, I haven't got sufficient knowledge to deal with it myself. If you can come up with a patch against 2.0.1 in the next two weeks, I am ready to pull it in. Otherwise, I'd close the issue after almost two years. > Add option to XmlRpcClient to ignore SSL certificate validation > --------------------------------------------------------------- > > Key: XMLRPC-47 > URL: http://issues.apache.org/jira/browse/XMLRPC-47 > Project: XML-RPC > Type: Bug > Components: Source > Versions: 1.1 > Environment: Operating System: All > Platform: All > Reporter: Andriy Rozeluk > Assignee: Jochen Wiedmann > > When using XML-RPC with SSL, and the server is using a self-signed certificate > (say on a staging server), the Java net libraries throw an exception. > As a suggestion, it should be possible to add a method, something like static > setIgnoreSSLCerts(boolean) to XmlRpcClient and XmlRpcClientLite, which will > override the TrustManager for the SSL connects. Thus, the user will have the > benefit of SSL encryption, without the hassle of having to have that > certificate > signed by a CA. > For example, before connect you can simply: > javax.net.ssl.SSLSocketFactory.getDefault(); > X509TrustManager tm = new IgnoreSSLCertTrustManager(); > KeyManager[] km = null; > TrustManager[] tma = {tm}; > SSLContext sc = SSLContext.getInstance("SSL"); > sc.init( km, tma, new java.security.SecureRandom() ); > SSLSocketFactory sf1 = sc.getSocketFactory(); > ... then when you get your URLConnection: > URLConnection con = target.openConnection(); > if ( con instanceof HttpsURLConnection ){ > HttpsURLConnection secconn = (HttpsURLConnection)con; > secconn.setSSLSocketFactory( sf1 ); > } > The IgnoreSSLCertTrustManager simply implements X509TrustManager and returns > true for both 'isClientTrusted' methods and does nothing for > 'checkServerTrusted', then returns null for 'getAcceptedIssuers'. > My apologies for not submitting this as a patch, but unfortunately I don't > have > those tools available to me at present. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira