Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignoring SSL verification errors #5

Open
rb2k opened this issue Apr 22, 2013 · 3 comments
Open

Ignoring SSL verification errors #5

rb2k opened this issue Apr 22, 2013 · 3 comments

Comments

@rb2k
Copy link

rb2k commented Apr 22, 2013

I use jruby-httpclient in an environment where I might run into self-signed SSL certs which usually leads to this:

SSLSessionImpl.java:352:in `getPeerCertificates': javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    from AbstractVerifier.java:128:in `verify'
    from SSLSocketFactory.java:390:in `connectSocket'
    from DefaultClientConnectionOperator.java:148:in `openConnection'
    from AbstractPoolEntry.java:149:in `open'
    from AbstractPooledConnAdapter.java:121:in `open'
    from DefaultRequestDirector.java:561:in `tryConnect'
    from DefaultRequestDirector.java:415:in `execute'
    from AbstractHttpClient.java:820:in `execute'
    from AbstractHttpClient.java:754:in `execute'
    from AbstractHttpClient.java:732:in `execute'
    from NativeMethodAccessorImpl.java:-2:in `invoke0'
    from NativeMethodAccessorImpl.java:39:in `invoke'
    from DelegatingMethodAccessorImpl.java:25:in `invoke'
    from Method.java:597:in `invoke'
    from JavaMethod.java:455:in `invokeDirectWithExceptionHandling'

I really don't care all that much about the validity of the SSL certs. Is there any way to disable the cert checking alltogether for jruby-httpclient?
@rb2k
Copy link
Author

rb2k commented Apr 22, 2013

Example:

require 'rubygems'
require 'http_client'

user_agent = 'testing'
client_opts = {
  :connection_timeout => 10000,
  :timeout_in_seconds => 30,
  :user_agent => user_agent,
  :handle_redirects => true,
  :max_redirects => 10,
  :use_ssl => true
}

client = HTTP::Client.new(client_opts)
get_req = HTTP::Get.new('https://www.netuno.net/')
result = client.execute(get_req)

@rb2k
Copy link
Author

rb2k commented Jun 7, 2013

This can be somewhat solved by doing this:

// Example java.security.Provider implementation
// that trusts ALL SSL certificates
// Regardless of whether they are valid or not

// Store this code in a file called MyProvider.java

import java.security.Security;
import java.security.KeyStore;
import java.security.Provider;
import java.security.cert.X509Certificate;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactorySpi;
import javax.net.ssl.X509TrustManager;

public class MyProvider extends Provider
{
  public MyProvider()
  {
    super("MyProvider", 1.0, "Trust certificates");
    put("TrustManagerFactory.TrustAllCertificates", MyTrustManagerFactory.class.getName());
  }

  protected static class MyTrustManagerFactory extends TrustManagerFactorySpi
  {
    public MyTrustManagerFactory()
      {}
    protected void engineInit( KeyStore keystore )
      {}
    protected void engineInit(ManagerFactoryParameters mgrparams )
      {}
    protected TrustManager[] engineGetTrustManagers()
    {
      return new TrustManager[] {new MyX509TrustManager()};
    }
  }

  protected static class MyX509TrustManager implements X509TrustManager
  {
    public void checkClientTrusted(X509Certificate[] chain, String authType)
      {}
    public void checkServerTrusted(X509Certificate[] chain, String authType)
      {}
    public X509Certificate[] getAcceptedIssuers()
      { return null; }
  }

}

then

javac MyProvider.java

And now you can do this:

java_import 'MyProvider'
java.security.Security.addProvider(MyProvider.new)
java.security.Security.setProperty("ssl.TrustManagerFactory.algorithm", "TrustAllCertificates");

This seems to somewhat work. It will however still blow up when running into a http -> https redirect

@rb2k
Copy link
Author

rb2k commented Jun 7, 2013

Ok, next approach, less java :)

class TrustStrategy
  def isTrusted(chain, auth_type)
      return true;
  end
end

[...]

      http_client = HTTP::Client.new(@client_opts)      
      begin
        get_req = HTTP::Get.new(url_to_crawl.to_s)
        result = http_client.execute(get_req)
      rescue javax.net.ssl.SSLPeerUnverifiedException
        # Disable SSL
        ssl_socket_factory = org.apache.http.conn.ssl.SSLSocketFactory.new(TrustStrategy.new)
        scheme = org.apache.http.conn.scheme.Scheme.new('https', 443, ssl_socket_factory)
        http_client.instance_variable_get('@client').getConnectionManager().getSchemeRegistry().register(scheme)        
        get_req = HTTP::Get.new(url_to_crawl.to_s.gsub('http:', 'https:'))
        result = http_client.execute(get_req)
      end

Quite a hack, but it works for me for now...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rb2k