80

I received this error while trying to start up an application: 

Sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException:  java.net.UnknownHostException:oscp.thawte.com

The application is behind a closed network and won't ever be able to get to oscp.thawte.com. Is there a java setting that can disable this?

Tim
  • 1,977
  • 4
  • 16
  • 20

7 Answers7

67

-Dcom.sun.net.ssl.checkRevocation=false

Nakilon
  • 33,683
  • 14
  • 104
  • 137
MK.
  • 32,464
  • 18
  • 70
  • 108
  • 3
    Where should I execute this? – nyanev Jan 20 '14 at 09:06
  • 2
    it is a command line parameter for the JVM. You can also set it programmatically http://stackoverflow.com/questions/5189914/setting-system-property – MK. Jan 21 '14 at 03:37
  • Using OpenJDK 6 this isn't working to me. (it's probably Sun-specific) – lapo May 20 '15 at 17:11
  • 1
    well it is referenced in OpenJDK code http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/37a05a11f281/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java Try to check which TrustManager you are using. – MK. Sep 17 '15 at 13:59
  • Hi! I tried to set this in my `MAVEN_OPTS` environment variable on windows 7, so that my `mvn` could connect to a private repo w/o SSLHandshake ex. It did not work for me though. Any Ideas? – Karan Chadha May 09 '17 at 04:41
  • I think Maven is special, see this question http://stackoverflow.com/questions/21252800/how-to-tell-maven-to-disregard-ssl-errors-and-trusting-all-certs – MK. May 10 '17 at 13:13
  • 22
    Doesn't work with Java 8 for me. I used System.setProperty("com.sun.net.ssl.checkRevocation", "false") in my code. The property does get set but has no effect. – Kumar Vaibhav Mar 23 '18 at 21:19
  • does this work? https://log.rowanto.com/java-8-turning-off-ssl-certificate-check/ – MK. Mar 23 '18 at 22:22
  • I'm using openjdk version "1.8.0_292" OpenJDK Runtime Environment (build 1.8.0_292-b10) this option doesn't seem to work – HoaPhan Jun 08 '21 at 01:00
20

Not exactly a setting but you can override the default TrustManager and HostnameVerifier to accept anything. Not a safe approach but in your situation, it can be acceptable.

Complete example : Fix certificate problem in HTTPS

RealHowTo
  • 34,016
  • 11
  • 69
  • 84
9

Use cli utility keytool from java software distribution for import (and trust!) needed certificates

Sample:

  1. From cli change dir to jre\bin

  2. Check keystore (file found in jre\bin directory)
    keytool -list -keystore ..\lib\security\cacerts
    Enter keystore password: changeit

  3. Download and save all certificates chain from needed server.

  4. Add certificates (before need to remove "read-only" attribute on file "..\lib\security\cacerts") keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore ..\lib\security\cacerts -file "r:\root.crt"

accidentally I found such a simple tip. Other solutions require the use of InstallCert.Java and JDK

source: http://www.java-samples.com/showtutorial.php?tutorialid=210

Алексей Присяжный
  • 813
  • 9
  • 13
9

In addition to the answers above. You can do it programmatically by implementing the TrustManager:

TrustManager[] trustAllCerts = new TrustManager[] {
        new X509TrustManager() {
          public java.security.cert.X509Certificate[] getAcceptedIssuers() {
           return null;
          }
          @Override
          public void checkClientTrusted(X509Certificate[] arg0, String arg1)
           throws CertificateException {}

          @Override
          public void checkServerTrusted(X509Certificate[] arg0, String arg1)
            throws CertificateException {}
          }
     };

  SSLContext sc=null;
  try {
   sc = SSLContext.getInstance("SSL");
  } catch (NoSuchAlgorithmException e) {
   e.printStackTrace();
  }
  try {
   sc.init(null, trustAllCerts, new java.security.SecureRandom());
  } catch (KeyManagementException e) {
   e.printStackTrace();
  }
  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
  // Create all-trusting host name verifier
  HostnameVerifier validHosts = new HostnameVerifier() {
  @Override
  public boolean verify(String arg0, SSLSession arg1) {
   return true;
  }
  };
  // All hosts will be valid
  HttpsURLConnection.setDefaultHostnameVerifier(validHosts);

However this is not a good practice for production.

This example on How to disable SSL certificat validation in Java contains a utility class you can copy in your project.

Mehdi
  • 1,171
  • 14
  • 22
3

On my Mac that I'm sure I'm not going to allow java anyplace other than a specific site, I was able to use Preferences->Java to bring up the Java control panel and turned the checking off. If DLink ever fixes their certificate, I'll turn it back on.

Java control panel - Advanced

Stephen Rauch
  • 44,696
  • 30
  • 102
  • 125
Steve Heffern
  • 99
  • 3
2

In Axis webservice and if you have to disable the certificate checking then use below code:

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");

Willi Mentzel
  • 24,988
  • 16
  • 102
  • 110
Shirishkumar Bari
  • 2,492
  • 1
  • 26
  • 34
-4

It is very simple .In my opinion it is the best way for everyone 

       Unirest.config().verifySsl(false);
       HttpResponse<String> response = null;
       try {
           Gson gson = new Gson();
           response = Unirest.post("your_api_url")
                   .header("Authorization", "Basic " + "authkey")
                   .header("Content-Type", "application/json")
                   .body("request_body")
                   .asString();
           System.out.println("------RESPONSE -------"+ gson.toJson(response.getBody()));
       } catch (Exception e) {
           System.out.println("------RESPONSE ERROR--");
           e.printStackTrace();
       }
   }
Eldor
  • 1
  • Are you sure this will help? I'm not sure if the poster is trying to make a ws call himself. – Stan Apr 19 '20 at 09:21