How to make Restlet client ignore SSL Certificate problems

nwaltham picture nwaltham · Jan 25, 2012 · Viewed 9.1k times · Source

I am currently working in a test environment where the server has a default Self signed SSL certificate. I am using Restlet 2.1-RC2 and instantiating client resource like this:

Client client = new Client(new Context(), Protocol.HTTP);
cr = new ClientResource(String.format(itql_endpoint,riQuery));
cr.setNext(client);

and reusing client for each call I make. How can I set up client so that it ignores problematic certificates.

Answer

Bruno picture Bruno · Jan 25, 2012

The right way is to import this self-signed certificate into the client's trust store, using keytool for example:

keytool -import -file server-cert.pem -alias myserver -keystore mytruststore.jks

You can either do it directly in the JRE's trust store (lib/security/cacerts), which may lack some flexibility, or do it in your own copy of this file, which you then set as the trust store (the default password is changeit or changeme on OSX). You configure this truststore globally for your application using the usual javax.net.ssl.trustStore* system properties (e.g. -Djavax.net.ssl.trustStore=mytruststore system property (and -Djavax.net.ssl.trustStorePassword) or you can configure it for a specific connector in Restlet using the server context parameters, for example:

Series<Parameter> parameters = client.getContext().getParameters();
parameters.add("truststorePath", "/path/to/your/truststore.jks");
// parameters.add("truststorePassword", "password");
// parameters.add("trustPassword", "password");
// parameters.add("truststoreType", "JKS");

The wrong way is to use a TrustManager that's going to disable any verification and pass it via an SslContextFactory (in the SSL extension). Something along these lines.

TrustManager tm = new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
    }

    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    public void checkServerTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
        // This will never throw an exception.
        // This doesn't check anything at all: it's insecure.
    }
};

final SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] {tm}, null);
Context context = client.getContext();
context.getAttributes().put("sslContextFactory", new SslContextFactory() {
    public void init(Series<Parameter> parameters) { }
    public SSLContext createSslContext() { return sslContext; }
});

While the first method may seem a bit more tedious than the second (since you need to obtain the server certificate first and copy files around), the second will simply make the error messages go away by not verifying anything about the server certificate, thereby making it vulnerable to active MITM attacks. This will apply to any connection where this SSLContext is configured. (This "wrong way isn't wrong because it uses a custom SSLContext, it's wrong because of this particular configuration of the SSLContext.)