java - Trust not trusted certificates and skip hostname verification -
i have server witch running https web server. when enter browser errors domain not match (because use ip of server) , cerificate not trusted. need send requests server using apache httpclient 4.2.1. found piece of code online helps me:
httpclient = new defaulthttpclient(a, b); sslsocketfactory sslsocketfactory = new sslsocketfactory( new truststrategy() { @override public boolean istrusted(x509certificate[] arg0, string arg1) throws certificateexception { return true; } }, sslsocketfactory.allow_all_hostname_verifier); httpclient.getconnectionmanager().getschemeregistry().register(new scheme("https", 443, sslsocketfactory)); because dont understand code ask questions.
1) understand correctly first parameter of sslsocetfactory bypass "not trusted" part of certificate problem? returns every certificate trusted?
2) second parameter needed because cerificate hostname not mach url?
3)what schemeregistry , scheme? making new scheme parameters "https", 443 , created sslsocketfactory. understand scheme https connections, uses rules defined in sslsocketfactory whats port for? work https connections on port 443 or other ports? if port different should type in different port there?
4) important question: if use trusted certificate how skip hostname verification , not change trust strategy?
1) understand correctly first parameter of sslsocetfactory bypass "not trusted" part of certificate problem? returns every certificate trusted?
yes. bad idea.
2) second parameter needed because cerificate hostname not mach url?
yes. bad idea too.
... whats port for
this default port protocol, i.e. if give https://host/ url , not https://host:port/ knows port 443.
4) important question: if use trusted certificate how skip hostname verification , not change trust strategy?
it bad idea disable important part of validation. in effect allow any certificate signed trusted ca used instead of own certificate. since easy own domain , trusted certificate open easy man-in-the-middle attacks.
if impossible use correct certificate (why use ip instead of name anyway?) should use certificate or public key pinning trust certificate. see owasp more information including sample code.