SSL - certificate expired

**universer** · December 17th, 2004, 09:29 AM

hi there,

i need to access to a script over ssl, but the date of the certificate is expired.
is there any ability to to bypass this certificate, which is out of date ?

im using org.apache.commons.httpclient, and the code looks like this:

Code:

      PostMethod post = new PostMethod("https://192.168.0.11:443");
      
        post.setRequestEntity(new InputStreamRequestEntity( new FileInputStream(input), input.length()));
        
        post.setRequestHeader("Content-type", "text/xml; charset=ISO-8859-1");
        
        HttpClient httpclient = new HttpClient();
        
            // Execute request
            try {
            int result = httpclient.executeMethod(post);
            
            System.out.println("Response body: ");
            System.out.println(post.getResponseBodyAsString());
        } finally {
            
            // Release current connection
            post.releaseConnection();
        }

with this error message:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Dec 19 11:03:00 CET 2003
...
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at de.bi.http.PostXmlFile.main(PostXmlFile.java:97)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Dec 19 11:03:00 CET 2003
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:268)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:524)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)
... 17 more
Exception in thread "main"

any idea?

-----------------------------------------
Peter

**cknoll** · December 17th, 2004, 11:37 AM

Take a look at:
http://jakarta.apache.org/commons/ht.../sslguide.html

Important part:

The default behaviour of HttpClient is suitable for most uses, however there are some aspects which you may want to configure. The most common requirements for customizing SSL are:

* Ability to accept self-signed or untrusted SSL certificates. This is highlighted by an SSLException with the message Unrecognized SSL handshake (or similar) being thrown when a connection attempt is made.
* You want to use a third party SSL library instead of Sun's default implementation.

Later they discuss the org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory (source found at:
http://cvs.apache.org/viewcvs.cgi/ja...CH&view=markup

And in using this socket factory, you should be able to get to un-trusted SSL sites. Give it a shot.

-Chris

**universer** · December 20th, 2004, 08:58 AM

hi cknoll,

the way you described is exactly what i tried to do.
the biggest problem while customizing my EasyProtocolSocketFactory
was to initialize the context.

In the manual they used context.init(null,new TrustManager[]{...},null),
which wont work. with using the 3rd parameter it runs properly.

Code:

         SSLContext context = SSLContext.getInstance("SSL");
           
            context.init(
                    null,           
                    new TrustManager[] {(TrustManager)new EasyX509TrustManager(null)}, 
                    new SecureRandom() );

also its important to keep javax.net.ssl apart from com.sun.net.ssl.
now it works.

thanks for your advice

!

Peter