Home > Java > Avoiding the “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed” error

Avoiding the “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed” error

This post has moved here: http://javaskeleton.blogspot.com/2011/01/avoiding-sunsecurityvalidatorvalidatore.html

Advertisements
  1. arne and
    February 2, 2011 at 16:32

    Thanks for sharing this!
    One question:
    Will this trust all servers ONLY in this class? Or does it affect everything running in the same JVM?

    • February 2, 2011 at 16:57

      Hi Arne,

      This will affect all newly created SSL Sockets in the JVM. If you only want to apply it to one connection, you can use the setSSLSocketFactory method on the HttpsURLConnection class instead. I don’t think there’s a way to just tie it to one class.

      • arne and
        February 3, 2011 at 09:50

        Thanks for your answer. Thats exactly what i’m looking for. I have one connection i’d want to bypass the certificate validation.
        I took a look at the setSSLSocketFactory and the SSLSocketFactory, but with my limited skills im unable to pinpoint exactly what needs to be set for it to do what i want.
        If you’d like to point me even further in the right direction, that would be great!

        Thanks

      • February 3, 2011 at 10:46

        Sure, it’s actually just one line that needs to be changed. The line

        SSLContext.setDefault(ctx);

        needs to be removed, since this sets the default for ALL new sockets.
        You will need to add the following line instead:

        conn.setSSLSocketFactory(ctx.getSocketFactory());

        this will get a socket factory from the context you initialized and apply it only to that one connection. Here’s the final code:

        public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException, MalformedURLException, IOException {
        X509TrustManager tm = new X509TrustManager() {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
        return null;
        }

        @Override
        public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) throws CertificateException {

        }

        @Override
        public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) throws CertificateException {
        }
        };
        SSLContext ctx = SSLContext.getInstance(“TLS”);
        ctx.init(null, new TrustManager[] { tm }, null);
        HttpsURLConnection conn = (HttpsURLConnection) new URL(“serverAddress:port”).openConnection();
        conn.setSSLSocketFactory(ctx.getSocketFactory());
        conn.setHostnameVerifier(new HostnameVerifier() {

        @Override
        public boolean verify(String paramString, SSLSession paramSSLSession) {
        return true;
        }
        });
        conn.connect();

        }

  2. arne and
    February 3, 2011 at 12:05

    Thanks Mathias!
    This works perfectly.

  1. January 24, 2011 at 11:52

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: