在java中如何连接到https站点而不必担心安全证书

Question

When I try to connect to https website like follows:

StringBuilder sb = new StringBuilder();
        URL oracle = new URL("https://company.com");
        URLConnection yc = oracle.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(yc.getInputStream()));
        String inputLine;
        while ((inputLine = in.readLine()) != null)
            sb.append(inputLine);
        in.close();
        return sb.toString();

I get

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)

If I use the http://company.com instead it works but I want to use the https one because that is what they say to use and I think the non secure one may be removed.

However when i have looked at similar answers about this it talks about copying certificates from my browser ectera. I need a solution that will work for anyone running the code on any computer without having to do anything special.

Im not concerned about the security advantages of SSL for this project I just want to be able to connect to the wenbsite.

Answer 1

It seems you've already been warned against the approach, so I'll stick to answering your question. I was able to reproduce the problem on my machine, although I can't tell why: My browser accepts the site's certificate without a hitch.

I've tried expanding on your code to make it work, but soon found myself messing with SSLContext , various crypto-providers and service provider interfaces. I didn't manage to complete this approach, and wouldn't actually recommend going that way, as it changes the global security settings of your JVM and may have unpredictable consequences depending on what else it's doing.

Instead I suggest you take a look at the Apache HttpComponents library , which allows for more fine-grained control of the connection's security settings.

The following will disable all certificate validation for the created HttpClient instance:

TrustStrategy veryNaive = new TrustStrategy() {
    @Override
    public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        return true;
    }
};

SSLContext sslcontext = SSLContexts.custom()
    .loadTrustMaterial(veryNaive)
    .build();

CloseableHttpClient httpclient = HttpClients.custom()
    .setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext))
    .build();

try {
    HttpGet httpget = new HttpGet("https://company.com");

    try (CloseableHttpResponse response = httpclient.execute(httpget);) {
        HttpEntity entity = response.getEntity();
        System.out.println(EntityUtils.toString(entity));
        EntityUtils.consume(entity);
    }
} finally {
    httpclient.close();
}

Changing the SSLContext to SSLContexts.createSystemDefault(); re-introduces the problem, just to demonstrate that it's also present for the Apache library.