Home > Java > Avoiding the “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed” error

Avoiding the “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed” error

January 24, 2011 Leave a comment Go to comments

This post has moved here: http://javaskeleton.blogspot.com/2011/01/avoiding-sunsecurityvalidatorvalidatore.html

Categories: Java Tags: , , ,
  1. arne and
    February 2, 2011 at 16:32
    Reply

    Thanks for sharing this!
    One question:
    Will this trust all servers ONLY in this class? Or does it affect everything running in the same JVM?

    • mathiasdegroof
      February 2, 2011 at 16:57
      Reply

      Hi Arne,

      This will affect all newly created SSL Sockets in the JVM. If you only want to apply it to one connection, you can use the setSSLSocketFactory method on the HttpsURLConnection class instead. I don’t think there’s a way to just tie it to one class.

      • arne and
        February 3, 2011 at 09:50

        Thanks for your answer. Thats exactly what i’m looking for. I have one connection i’d want to bypass the certificate validation.
        I took a look at the setSSLSocketFactory and the SSLSocketFactory, but with my limited skills im unable to pinpoint exactly what needs to be set for it to do what i want.
        If you’d like to point me even further in the right direction, that would be great!

        Thanks

      • mathiasdegroof
        February 3, 2011 at 10:46

        Sure, it’s actually just one line that needs to be changed. The line

        SSLContext.setDefault(ctx);

        needs to be removed, since this sets the default for ALL new sockets.
        You will need to add the following line instead:

        conn.setSSLSocketFactory(ctx.getSocketFactory());

        this will get a socket factory from the context you initialized and apply it only to that one connection. Here’s the final code:

        public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException, MalformedURLException, IOException {
        X509TrustManager tm = new X509TrustManager() {
        @Override
        public X509Certificate[] getAcceptedIssuers() {
        return null;
        }

        @Override
        public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) throws CertificateException {

        }

        @Override
        public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) throws CertificateException {
        }
        };
        SSLContext ctx = SSLContext.getInstance(“TLS”);
        ctx.init(null, new TrustManager[] { tm }, null);
        HttpsURLConnection conn = (HttpsURLConnection) new URL(“serverAddress:port”).openConnection();
        conn.setSSLSocketFactory(ctx.getSocketFactory());
        conn.setHostnameVerifier(new HostnameVerifier() {

        @Override
        public boolean verify(String paramString, SSLSession paramSSLSession) {
        return true;
        }
        });
        conn.connect();

        }

  2. arne and
    February 3, 2011 at 12:05
    Reply

    Thanks Mathias!
    This works perfectly.

  1. January 24, 2011 at 11:52
    Avoiding the “javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated” with HttpClient « The Skeleton

Leave a comment