Java SSL/TLS ignore expired cert? (java.security.cert.CertPathValidatorException: timestamp check failed)
I am having an issue with a api that I communicate to via SSL. I am thinking the exception is coming due to the fact that the SSL cert has expired. The problem is that I do
-
I'm not aware of a property that would let you ignore the time validity check on the remote certificate for the default
X509TrustManagers, but if you have access to the client code, you can probably configure a differentSSLContextwith your ownX509TrustManager, within which you could catch this exception.If you want to use something like jSSLutils and its
SSLContextFactory, you could write a wrapper along these lines:PKIXSSLContextFactory sslContextFactory = new PKIXSSLContextFactory(); sslContextFactory.setTrustManagerWrapper(new X509TrustManagerWrapper() { @Override public X509TrustManager wrapTrustManager(final X509TrustManager origManager) { return new X509TrustManager() { @Override public X509Certificate[] getAcceptedIssuers() { return origManager.getAcceptedIssuers(); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { origManager.checkServerTrusted(chain, authType); } catch (CertificateExpiredException e) { // TODO log or do something else to rethrow // the exception if chain[0] isn't the certificate // for which you want to make this special case. } } @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { origManager.checkClientTrusted(chain, authType); } }; } }); SSLContext sslContext = sslContextFactory.buildSSLContext();Making use of this
SSLContextthen really depends on what uses SSL in your application. In the worst case, you can configure it globally usingSSLContext.setDefault(sslContext)with Java 6 and above. Otherwise, some libraries will let you configure anSSLContext.
加载中...
- 热议问题