Java HTTP Client: SSL Self-Signed Certificates & IP Address Hostnames

By default, a Java based HTTP client will not allow connection to a "https" endpoint when the server-side certificate is self-signed, and also in the situation where the server uses an IP address rather than a hostname.

They will require separate solutions. For the self-signed certificate, we can use this code to tell Java to trust all certificates.

TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager(){    public X509Certificate[] getAcceptedIssuers(){return null;}    public void checkClientTrusted(X509Certificate[] certs, String authType){}    public void checkServerTrusted(X509Certificate[] certs, String authType){} }}; try {    SSLContext sc = SSLContext.getInstance("TLS");    sc.init(null, trustAllCerts, new SecureRandom());    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) {}

For the IP address issue, which will throw an error (CertificateException: No subject alternative names present), we can use the following code:

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){            public boolean verify(String hostname, SSLSession session){                  // you may choose to return true all the time here or return true for certain IPs            }        });

Note: this solution has been tested to work with the Jersey REST client.

References:

• http://stackoverflow.com/questions/2893819/telling-java-to-accept-self-signed-ssl-certificate
• http://stackoverflow.com/questions/6047996/ignore-self-signed-ssl-cert-using-jersey-client
• http://stackoverflow.com/questions/10258101/sslhandshakeexception-no-subject-alternative-names-present