Apache Http Client SSL certificate error

Question

I know it's been asked before but I tried all the solutions that I found and it's still not working.

Basically, I'm trying to get some content via Apache Http Client (4.3) and the website that I'm connecting is having some SSL issues.

First, I was getting and SSLException with and unrecognized_name message. I tried to get around this by setting the jsse.enableSNIExtension property to false.

Then, I got this exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I then tried supplying my won SSLFactory that would accept all certificates but I'm still getting the same exception. Here's my code:

private static void sslTest() throws Exception {
    System.setProperty("jsse.enableSNIExtension", "false");

    SSLContext sslContext = SSLContexts.custom()
            .loadTrustMaterial(null, new TrustSelfSignedStrategy())
            .useTLS()
            .build();

    SSLConnectionSocketFactory connectionFactory =
            new SSLConnectionSocketFactory(sslContext, new AllowAllHostnameVerifier());

    CookieStore cookieStore = new BasicCookieStore();
    HttpClientContext context = HttpClientContext.create();
    context.setCookieStore(cookieStore);

    CloseableHttpClient httpclient = HttpClients.custom()
            .setSSLSocketFactory(connectionFactory)
            .setDefaultCookieStore(cookieStore)
            .build();

    URI uri = new URIBuilder()
            .setScheme("https")
            .setHost(BASE_URL)
            .build();

    String responseBody = httpclient.execute(new HttpGet(uri), RESPONSE_HANDLER);
}

All help is greatly appreciated!

Please look at my answer in another question: stackoverflow.com/a/45734000/8477758 — EyouGo
– EyouGo, Commented Aug 17, 2017 at 11:41
Does this answer your question? How to ignore SSL certificate errors in Apache HttpClient 4.0 — rogerdpack
– rogerdpack, Commented Feb 23, 2021 at 18:58

ℛɑƒæĿᴿᴹᴿ · Accepted Answer · 2020-09-03 22:37:02Z

13

Please also note that trusting self-signed certs does not mean trusting any arbitrary cert.

Try setting up your SSL context this way:

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, 
    new TrustStrategy() {
        @Override
        public boolean isTrusted(final X509Certificate[] chain, final String authType) 
        throws CertificateException {
            return true;
        }
    })
    .useTLS()
    .build();

Please also note that generally trusting certificates indiscriminately defeats the purpose of using SSL in the first place. Use when absolutely necessary or for testing only

edited Sep 3, 2020 at 22:37

ℛɑƒæĿᴿᴹᴿ

5,4765 gold badges42 silver badges61 bronze badges

answered Jul 13, 2014 at 13:47

ok2c

27.9k5 gold badges66 silver badges74 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

coding_idiot Over a year ago

worked like a charm. With HttpClientBuilder this is how to create an instance -

SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext);            CloseableHttpClient client = HttpClientBuilder.create().setSSLSocketFactory(sslsf).build();

ℛɑƒæĿᴿᴹᴿ · Accepted Answer · 2020-09-04 09:08:25Z

11

In Http Client 4.5.2:

SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, 
    new TrustStrategy() {
        @Override
        public boolean isTrusted(final X509Certificate[] chain, final String authType) 
        throws CertificateException {
            return true;
        }
    }).build();

SSLConnectionSocketFactory sslsf;
sslsf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);

And then:

HttpClientBuilder builder = HttpClients.custom().setSSLSocketFactory(sslsf);

edited Sep 4, 2020 at 9:08

ℛɑƒæĿᴿᴹᴿ

5,4765 gold badges42 silver badges61 bronze badges

answered May 10, 2016 at 14:32

Elik

1231 silver badge6 bronze badges

Comments

user207421 · Accepted Answer · 2014-07-13 06:41:33Z

1

Your truststore doesn't trust the server certificate.

Allowing all hostname is an HTTPS step that can only be invoked if the certificate is trusted.

answered Jul 13, 2014 at 6:41

user207421

312k45 gold badges324 silver badges493 bronze badges

Comments

greensuisse · Accepted Answer · 2017-09-05 14:50:17Z

The following is for Apache 4x to trust everything

static {
    // avoid error javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
    System.setProperty("jsse.enableSNIExtension", "false");
}

public static HttpClientBuilder createTrustAllHttpClientBuilder() {
    try {
        SSLContextBuilder builder = new SSLContextBuilder();
        builder.loadTrustMaterial(null, (chain, authType) -> true);
        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE);

        return HttpClients.custom().setSSLSocketFactory(sslsf);
    }
    catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
        throw new IllegalStateException(e);
    }
}

Collectives™ on Stack Overflow

Apache Http Client SSL certificate error

4 Answers 4

1 Comment

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

1 Comment

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related