java - Are self signed certificates always prone to man in the middle attack while adding the certificate programmatically? -
i creating jax-ws client app needs accept self-signed certificates. there common ssl handshake exception problem when trying import self-signed certificates. common work around extend jsse security provider , initialize ssl context accept certificates like:
security.addprovider(new com.sun.net.ssl.internal.ssl.provider()); trustmanager[] trustcerts = new trustmanager[]{new x509trustmanager() { public x509certificate[] getacceptedissuers() { return null; } public void checkservertrusted(x509certificate[] certs, string authtype) throws certificateexception { return; } public void checkclienttrusted(x509certificate[] certs, string authtype) throws certificateexception { return; } } }; sslcontext sc = sslcontext.getinstance("sslv3"); sc.init(null, trustcerts, null); socketfactory factory = sc.getsocketfactory(); sslsocket socket; socket = (sslsocket) factory.createsocket(minstance.gethostname(),getsecureconnectionendpoint().getport()); socket.starthandshake(); setcerts(socket.getsession().getpeercertificates());
this workaround find problem. there many similar kind of questions here such import ssl certificates , propose same solution.
this prone man in middle attack , solution seems legit testing purposes.
so question, there no way of making whole process more secure when try import certificates programmatically?
thank in advance!
this prone man in middle attack , solution seems legit testing purposes.
correct. radically insecure.
so question, there no way of making whole process more secure when try import certificates programmatically?
not if via channel trying secure. certificate trusted needs delivered means.
nb code posted doesn't satisfy contract getacceptedissuers().
can't return null.
Comments
Post a Comment