Search code examples
sslcertificatejax-ws

JAX-WS, trusting all ssl certificates not working

Yeah I know, I shouldn't trust all ssl certificates. But as there is a VPN tunnel in place and depending on the staging phase different servers (with different SSL certificates) need to be requested I prefer the ignore-server-ssl-certificate(s) approach.

I am following advices such as

the relevant code snippest look alike (ideas from "erikwramner")

final BindingProvider bp = (BindingProvider) tmpSoapService;
final Map<String, Object> requestContext = bp.getRequestContext();
    requestContext.put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, serviceUrl );
requestContext.put( BindingProvider.USERNAME_PROPERTY, username );
requestContext.put( BindingProvider.PASSWORD_PROPERTY, ntlmPassword );
    requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, getTrustingSSLSocketFactory());
requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.HOSTNAME_VERIFIER, new NaiveHostnameVerifier() );
...
public static SSLSocketFactory getTrustingSSLSocketFactory ()
{
    return SSLSocketFactoryHolder.INSTANCE;
}

private static SSLSocketFactory createSSLSocketFactory ()
{
    TrustManager[] trustManagers = new TrustManager[] { new NaiveTrustManager() };
    SSLContext sslContext;
    try
    {
        sslContext = SSLContext.getInstance( "SSL" );
        sslContext.init( null, trustManagers, new java.security.SecureRandom() );
        return sslContext.getSocketFactory();
    }
    catch ( GeneralSecurityException e )
    {
        return null;
    }
}

private static interface SSLSocketFactoryHolder
{
    public static final SSLSocketFactory INSTANCE = createSSLSocketFactory();
}

private static class NaiveHostnameVerifier implements HostnameVerifier
{
    @Override
    public boolean verify ( String hostName, SSLSession session )
    {
        return true;
    }
}

private static class NaiveTrustManager implements X509TrustManager
{
    @Override
    public void checkClientTrusted ( X509Certificate[] certs, String authType )  throws CertificateException
    {
    }

    @Override
    public void checkServerTrusted ( X509Certificate[] certs, String authType )  throws CertificateException
    {
    }

    @Override
    public X509Certificate[] getAcceptedIssuers ()
    {
        return new X509Certificate[0];
    }
}

Unfortunately, I still get

org.apache.cxf.interceptor.Fault: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_92]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_92]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_92]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_92]

...

which to me indicates that the default sun.security.ssl.X509TrustManagerImpl is consulted. By debugging I see my SocketFactory/TrustManager being "handed in" at least till org.apache.cxf.endpoint.ClientImpl#invoke(...)

What may be the reason for my TrustManager not being unaccounted?

Solution

  • You are using CXF. You can use client.getConduit().setTlsClientParameters() to set the TrustManager

    For example following: CXF RESTful Client - How to do trust all certs?

    Client client = ClientProxy.getClient(service);
HTTPConduit conduit = client.getHttpConduit();
TLSClientParameters params = conduit.getTlsClientParameters();
if (params == null)  {
    params = new TLSClientParameters();
    conduit.setTlsClientParameters(params);
}    

params.setTrustManagers( new TrustManager[] { new NaiveTrustManager() });
params.setDisableCNCheck(true);