Disabling SSL Certificate Validation in Spring RestTemplate

Question

I am having two Spring based web apps A and B, on two different machines.

I want to make a https call from web app A to web app B, however I am using a self-signed c

Answer 1

This problem is about SSL connection. When you try to connect to some resource https protocol requires to create secured connection. That means only your browser and website server know what data is being sent in requests bodies. This security is achieved by ssl certificates that stored on website and are being downloaded by your browser (or any other client, Spring RestTemplate with Apache Http Client behind in our case) with first connection to host. There are RSA256 encryption and many other cool things around. But in the end of a day: In case certificate is not registered or is invalid you will see certificate error (HTTPS connection is not secure). To fix certificate error website provider need to buy it for particular website or fix somehow e.g. https://www.register.com/ssl-certificates

Right way how problem can be solved

• Register SSL certificate

Not a right way how problem can be solved

• download broken SSL certificate from website

• import SSL certificate to Java cacerts (certificate storage)

  keytool -importcert -trustcacerts -noprompt -storepass changeit -alias citrix -keystore "C:\Program Files\Java\jdk-11.0.2\lib\security\cacerts" -file citrix.cer

Dirty (Insecure) way how problem can be solved

• make RestTemplate to ignore SSL verification

  @Bean
  public RestTemplateBuilder restTemplateBuilder(@Autowired SSLContext sslContext) {
      return new RestTemplateBuilder() {
          @Override
          public ClientHttpRequestFactory buildRequestFactory() {
              return new HttpComponentsClientHttpRequestFactory(
                      HttpClients.custom().setSSLSocketFactory(
                              new SSLConnectionSocketFactory(sslContext
                                      , NoopHostnameVerifier.INSTANCE)).build());
          }
      };
  }
  
  @Bean
      public SSLContext insecureSslContext() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
         return SSLContexts.custom()
                  .loadTrustMaterial(null, (x509Certificates, s) -> true)
                  .build();
      }