Simon Wong
2017-09-27 06:32:46 UTC
If I choose the TrustSelfSignedStrategy.INSTANCE as the TrustStrategy, the
constructed HttpClient could be used for both self-signed and valid
certificate. But it could not be used to trust expired certificate (throws
java.security.cert.CertificateExpiredException exeption).
I guess if the HttpClientBuilder allows me to construct multiple SSLContext
and the problem should be solved. But I don't know how to set mutlple
SSLContext.
Current workaround is implement the TrustStrategy and always return "true"
in isTrusted() method.
HttpClientBuilder clientBuilder = HttpClients.custom();
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial((KeyStore) null,
TrustSelfSignedStrategy.INSTANCE)
.build();
try (CloseableHttpClient httpclient = clientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.build()) {
// working (valid cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://sha256.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 1: " + bodyAsString);
}
// working (trusted self-sgined cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://self-signed.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 2: " + bodyAsString);
}
// throw java.security.cert.CertificateExpiredException here
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://expired.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 3: " + bodyAsString);
}
}
constructed HttpClient could be used for both self-signed and valid
certificate. But it could not be used to trust expired certificate (throws
java.security.cert.CertificateExpiredException exeption).
I guess if the HttpClientBuilder allows me to construct multiple SSLContext
and the problem should be solved. But I don't know how to set mutlple
SSLContext.
Current workaround is implement the TrustStrategy and always return "true"
in isTrusted() method.
HttpClientBuilder clientBuilder = HttpClients.custom();
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial((KeyStore) null,
TrustSelfSignedStrategy.INSTANCE)
.build();
try (CloseableHttpClient httpclient = clientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.build()) {
// working (valid cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://sha256.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 1: " + bodyAsString);
}
// working (trusted self-sgined cert)
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://self-signed.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 2: " + bodyAsString);
}
// throw java.security.cert.CertificateExpiredException here
try (CloseableHttpResponse response = httpclient.execute(new
HttpGet("https://expired.badssl.com/"))) {
String bodyAsString =
EntityUtils.toString(response.getEntity());
System.out.println("response 3: " + bodyAsString);
}
}