Rowanto Luo


Just another blog. or log.


Java 8 - Turning off SSL Certificate Check

There's usually no good reason to turn off SSL certificate check. So this is actually wrong in many ways, but maybe we're still developing in an isolated dev environment and somehow the dev machine of another application you're depending on only allows SSL connection even though it doesn't have a valid certificate. The correct solution is actually to self sign a certificate or add it in the system, so that if your application go live, you will still have ssl certificate check turned on. If not, you might forgot to turn the ssl certificate check back on when launching the stuff and it will be bad. So, use this on your own risk.

Usually, if we're trying to disable the ssl certificate check, all we have to do is to create a new trust manager which do nothing. You will find this kind of code most of the time:

final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
    @Override
    public void checkClientTrusted( final X509Certificate[] chain, final String authType ) {
    }
    @Override
    public void checkServerTrusted( final X509Certificate[] chain, final String authType ) {
    }
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
} };

// Install the all-trusting trust manager
final SSLContext sslContext = SSLContext.getInstance( "SSL" );
sslContext.init( null, trustAllCerts, new java.security.Secure
HttpsURLConnection.setDefaultSSLSocketFactory( sslContext.getSocketFactory() );

But, doing this will actually get you to various errors in Java 8 as alrogithm not strong enough, or something of the like. The reason is simple, in Java 8, the security has been tightened, and we need to implement X509ExtendedTrustManager class instead of the normal X509TrustManager class.

So it means, just take the same code, and make it implement another class.

TrustManager[] trustAllCerts = new TrustManager[]{
    new X509ExtendedTrustManager() {
        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }
        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }
        @Override
        public X509Certificate[] getAcceptedIssuers() {
        return null;
        }
        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
        }
        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
        }
        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
        }
        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
        }
    }
};

SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

Now, we should be able to make SSL connection to website with invalid certificate. This code just have to be called once anywhere in your code, and then it will work. For my test spring application, I just call it in the Application class where it auto configures the spring boot.

Hope it helps.