Trust all certificates with okHttp


seato: seato:

For testing, I'm trying to add a socket factory to my okHttp client that trusts everything when setting up the proxy. This has been done many times, but my implementation of the trusted socket factory seems to be missing something:

class TrustEveryoneManager implements X509TrustManager {
    @Override
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }

    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }

    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}
OkHttpClient client = new OkHttpClient();

final InetAddress ipAddress = InetAddress.getByName("XX.XXX.XXX.XXX"); // some IP
client.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(ipAddress, 8888)));

SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = new TrustManager[]{new TrustEveryoneManager()};
sslContext.init(null, trustManagers, null);
client.setSslSocketFactory(sslContext.getSocketFactory);

No requests are sent from my app, and no exceptions are logged in the logs, so it appears that it fails silently in okHttp. After further investigation, it seems that an exception is swallowed in okHttp Connection.upgradeToTls()when the handshake is forced . The exception I get is:javax.net.ssl.SSLException: SSL handshake terminated: ssl=0x74b522b0: SSL_ERROR_ZERO_RETURN occurred. You should never see this.

The code below generates one SSLContextthat works like a charm when creating an SSLSocketFactory that doesn't throw any exceptions:

protected SSLContext getTrustingSslContext() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
    final SSLContextBuilder trustingSSLContextBuilder = SSLContexts.custom()
            .loadTrustMaterial(null, new TrustStrategy() {
                @Override
                public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                    return true; // Accepts any ssl cert whether valid or not.
                }
            });
    return trustingSSLContextBuilder.build();
}

The problem is that I am trying to completely remove all Apache HttpClient dependencies from my application. The underlying code generated with Apache HttpClient SSLContextseems simple enough, but since I can't configure my code , I'm clearly missing something SSLContext.

Can anyone produce the SSLContext implementation I want without using Apache HttpClient?

Sonxurxo

In case anyone lands here, the (only) solution that worked for me was to create something like the one explained here .OkHttpClient

Here is the code:

private static OkHttpClient getUnsafeOkHttpClient() {
  try {
    // Create a trust manager that does not validate certificate chains
    final TrustManager[] trustAllCerts = new TrustManager[] {
        new X509TrustManager() {
          @Override
          public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
          }

          @Override
          public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
          }

          @Override
          public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return new java.security.cert.X509Certificate[]{};
          }
        }
    };

    // Install the all-trusting trust manager
    final SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
    // Create an ssl socket factory with our all-trusting manager
    final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

    OkHttpClient.Builder builder = new OkHttpClient.Builder();
    builder.sslSocketFactory(sslSocketFactory, (X509TrustManager)trustAllCerts[0]);
    builder.hostnameVerifier(new HostnameVerifier() {
      @Override
      public boolean verify(String hostname, SSLSession session) {
        return true;
      }
    });

    OkHttpClient okHttpClient = builder.build();
    return okHttpClient;
  } catch (Exception e) {
    throw new RuntimeException(e);
  }
}

Related


Trust all certificates with okHttp

seato: seato: For testing, I'm trying to add a socket factory to my okHttp client that trusts everything when setting up the proxy. This has been done many times, but my implementation of the trusted socket factory seems to be missing something: class TrustEve

Trust all certificates with okHttp

seato: seato: For testing, I'm trying to add a socket factory to my okHttp client that trusts everything when setting up the proxy. This has been done many times, but my implementation of the trusted socket factory seems to be missing something: class TrustEve

Trust all certificates with HttpClient over HTTPS

Harrison Leigh: Recently posted a question about over HttpClientHttps ( found here ). I've made some progress, but I'm running into a new problem. As with my last question, I can't seem to find an example that works for me. Basically, I want my client to accep

Trust all SSL certificates in Java Playframework 2.2

asvignesh: I'm trying to call a web service (with a self-signed SSL certificate) in the Play framework using the following function: public static play.libs.F.Promise<Result> webcall() { String feedUrl = "https://10.0.1.1/client/api"; final play.

CXF RESTful client - how to trust all certificates?

sdoca: I wrote a Jersey RESTful client that uses the Dumb X509TrustManager and HostnameVerifier to trust all SSL certificates on our lab system to make it easier to handle self-signed certificates. ClientConfig config = new DefaultClientConfig();

Trust all certificates with HttpClient over HTTPS

Harrison Leigh: Recently posted a question about over HttpClientHttps ( found here ). I've made some progress, but I'm running into a new problem. As with my last question, I can't seem to find an example that works for me. Basically, I want my client to accep

CXF RESTful client - how to trust all certificates?

sdoca: I wrote a Jersey RESTful client that uses the Dumb X509TrustManager and HostnameVerifier to trust all SSL certificates on our lab system to make it easier to handle self-signed certificates. ClientConfig config = new DefaultClientConfig();

Trust all SSL certificates in Java Playframework 2.2

asvignesh: I'm trying to call a web service (with a self-signed SSL certificate) in the Play framework using the following function: public static play.libs.F.Promise<Result> webcall() { String feedUrl = "https://10.0.1.1/client/api"; final play.

Trust all SSL certificates in Java Playframework 2.2

Avines I'm trying to call a web service (with a self-signed SSL certificate) in the Play framework using the following function: public static play.libs.F.Promise<Result> webcall() { String feedUrl = "https://10.0.1.1/client/api"; final play.libs

Trust all certificates with HttpClient over HTTPS

Harrison Leigh: Recently posted a question about over HttpClientHttps ( found here ). I've made some progress, but I'm running into a new problem. As with my last question, I can't seem to find an example that works for me. Basically, I want my client to accep

Trust all SSL certificates in Java Playframework 2.2

asvignesh: I'm trying to call a web service (with a self-signed SSL certificate) in the Play framework using the following function: public static play.libs.F.Promise<Result> webcall() { String feedUrl = "https://10.0.1.1/client/api"; final play.

JAX-WS, trust all ssl certificates doesn't work

Clemens Yes, I know, I shouldn't trust all SSL certificates. However, since there is a VPN tunnel, and depending on the transition phase, different servers (with different SSL certificates) need to be requested, I prefer the ignore-server-ssl-certificate(s) ap

Lynx thinks my profile doesn't trust all certificates

max purifier I try to access what I think is a valid ssl authentication page https://google.com , but lynx always saysSSL error:The certificate is NOT trusted. The certificate is...-Continue? (n) I have not done any configuration of lynx except the following c

Lynx thinks my profile doesn't trust all certificates

max purifier I try to access what I think is a valid ssl authentication page https://google.com , but lynx always saysSSL error:The certificate is NOT trusted. The certificate is...-Continue? (n) I have not done any configuration of lynx except the following c

JAX-WS, trust all ssl certificates doesn't work

Clemens Yes, I know, I shouldn't trust all SSL certificates. However, since there is a VPN tunnel, and depending on the transition phase, different servers (with different SSL certificates) need to be requested, I prefer the ignore-server-ssl-certificate(s) ap

OkHttp trust certificate

diegocom In my Android app, I need to perform some requests to the server using OkHttp library. I have an ssl certificate with four parts: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt www_mydomain_com.crt I hav

OkHttp trust certificate

diegocom In my Android app, I need to perform some requests to the server using OkHttp library. I have an ssl certificate with four parts: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt www_mydomain_com.crt I hav

OkHttp trust certificate

diegocom In my Android app, I need to perform some requests to the server using OkHttp library. I have an ssl certificate with four parts: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt www_mydomain_com.crt I hav

OkHttp trust certificate

diegocom In my Android app, I need to perform some requests to the server using OkHttp library. I have an ssl certificate with four parts: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt www_mydomain_com.crt I hav