I usually post about HTTP stuff on Twitter - you can follow me there:

1. Overview

This article will show how to configure the Apache HttpClient 4 with “Accept All” SSL support. The goal is simple – consume HTTPS URLs which do not have valid certificates.

If you want to dig deeper and learn other cool things you can do with the HttpClient – head on over to the main HttpClient guide.

2. The SSLPeerUnverifiedException

Without configuring SSL with the HttpClient, the following test – consuming an HTTPS URL – will fail:

public class HttpLiveTest {

    @Test(expected = SSLPeerUnverifiedException.class)
    public void whenHttpsUrlIsConsumed_thenException() 
      throws ClientProtocolException, IOException {
 
        DefaultHttpClient httpClient = new DefaultHttpClient();
        String urlOverHttps
          = "https://localhost:8080/spring-security-rest-basic-auth";
        HttpGet getMethod = new HttpGet(urlOverHttps);
        
        HttpResponse response = httpClient.execute(getMethod);
        assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
    }
}

The exact failure is:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
    ...

The javax.net.ssl.SSLPeerUnverifiedException exception occurs whenever a valid chain of trust couldn’t be established for the URL.

3. Configure SSL – Accept All (HttpClient < 4.3)

Let’s now configure the HTTP client to trust all certificate chains regardless of their validity:

@Test
public void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenException() 
  throws IOException, GeneralSecurityException {
    TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
    SSLSocketFactory sf = new SSLSocketFactory(
      acceptingTrustStrategy, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    SchemeRegistry registry = new SchemeRegistry();
    registry.register(new Scheme("https", 8443, sf));
    ClientConnectionManager ccm = new PoolingClientConnectionManager(registry);

    DefaultHttpClient httpClient = new DefaultHttpClient(ccm);

    String urlOverHttps 
      = "https://localhost:8443/spring-security-rest-basic-auth/api/bars/1";
    HttpGet getMethod = new HttpGet(urlOverHttps);
    
    HttpResponse response = httpClient.execute(getMethod);
    assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
}

With the new TrustStrategy now overriding the standard certificate verification process (which should consult a configured trust manager) – the test now passes and the client is able to consume the HTTPS URL.

4. The Spring RestTemplate with SSL (HttpClient < 4.3)

Now that we have seen how to configure a raw HttpClient with SSL support, let’s take a look at a higher level client – the Spring RestTemplate.

With no SSL configured, the following test fails as expected:

@Test(expected = ResourceAccessException.class)
public void whenHttpsUrlIsConsumed_thenException() {
    String urlOverHttps 
      = "https://localhost:8443/spring-security-rest-basic-auth/api/bars/1";
    ResponseEntity<String> response 
      = new RestTemplate().exchange(urlOverHttps, HttpMethod.GET, null, String.class);
    assertThat(response.getStatusCode().value(), equalTo(200));
}

So let’s configure SSL:

import static org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.DefaultHttpClient;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.ResourceAccessException;
import org.springframework.web.client.RestTemplate;

...
@Test
public void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenException() 
  throws GeneralSecurityException {
    HttpComponentsClientHttpRequestFactory requestFactory 
      = new HttpComponentsClientHttpRequestFactory();
    DefaultHttpClient httpClient
      = (DefaultHttpClient) requestFactory.getHttpClient();
    TrustStrategy acceptingTrustStrategy = (cert, authType) -> true
    SSLSocketFactory sf = new SSLSocketFactory(
      acceptingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER);
    httpClient.getConnectionManager().getSchemeRegistry()
      .register(new Scheme("https", 8443, sf));

    String urlOverHttps
      = "https://localhost:8443/spring-security-rest-basic-auth/api/bars/1";
    ResponseEntity<String> response = new RestTemplate(requestFactory).
      exchange(urlOverHttps, HttpMethod.GET, null, String.class);
    assertThat(response.getStatusCode().value(), equalTo(200));
}

As you can see, this is very similar to the way we configured SSL for the raw HttpClient – we configure the request factory with SSL support and then we instantiate the template passing this preconfigured factory.

5. Configure SSL – Accept All (HttpClient 4.4)

In HttpClient version 4.4, with SSLSocketFactory now deprecated, we can simply configure our HttpClient as follows:

@Test
public void givenIgnoringCertificates_whenHttpsUrlIsConsumed_thenCorrect()
  throws Exception {
    SSLContext sslContext = new SSLContextBuilder()
      .loadTrustMaterial(null, (certificate, authType) -> true).build();

    CloseableHttpClient client = HttpClients.custom()
      .setSSLContext(sslContext)
      .setSSLHostnameVerifier(new NoopHostnameVerifier())
      .build();
    HttpGet httpGet = new HttpGet(HOST_WITH_SSL);
    httpGet.setHeader("Accept", "application/xml");

    HttpResponse response = client.execute(httpGet);
    assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
}

6. The Spring RestTemplate with SSL (HttpClient 4.4)

And we can use the same way to configure our RestTemplate:

@Test
public void givenAcceptingAllCertificatesUsing4_4_whenUsingRestTemplate_thenCorrect() 
throws ClientProtocolException, IOException {
    CloseableHttpClient httpClient
      = HttpClients.custom()
        .setSSLHostnameVerifier(new NoopHostnameVerifier())
        .build();
    HttpComponentsClientHttpRequestFactory requestFactory 
      = new HttpComponentsClientHttpRequestFactory();
    requestFactory.setHttpClient(httpClient);

    ResponseEntity<String> response 
      = new RestTemplate(requestFactory).exchange(
      urlOverHttps, HttpMethod.GET, null, String.class);
    assertThat(response.getStatusCode().value(), equalTo(200));
}

7. Conclusion

This tutorial discussed how to configure SSL for an Apache HttpClient so that it is able to consume any HTTPS URL, regardless of the certificate. The same configuration for the Spring RestTemplate is also illustrated.

An important thing to understand however is that this strategy entirely ignores certificate checking – which makes it insecure and only to be used where that makes sense.

The implementation of these examples can be found in the GitHub project – this is an Eclipse based project, so it should be easy to import and run as it is.

I usually post about HTTP stuff on Twitter - you can follow me there:


Sort by:   newest | oldest | most voted
I. N. Secure
Guest

You should at least mention that your TrustStrategy implementation does not perform any verification of the used certificate at all, which renders the use of ssl pretty much useless, as a man in the middle can present any certificate matching the name, no matter who it was issued or signed by.

Eugen Paraschiv
Guest

The article does mention repeatedly – in the very beginning (The goal is simple – consume HTTPS URLs which do not have valid certificates.) then in the Accept All chapter (Let’s now configure the http client to trust all certificate chains regardless of their validity…) and once more in the Conclusion, so hopefully it should be clear that the solution is simply ignoring certificates. The goal here is to be tolerant of invalid certificate chains when analyzing large datasets which may contain such URLs.
Thanks.
Eugen.

Mohan
Guest

Hi Eugen,

Thanks for the wonderful article, Could you please share me the exact jar version details for this example. Since while using am getting into lot of jar conflict issues.(3.Configure SSL – Accept All (HttpClient < 4.3)).

Eugen Paraschiv
Guest

Hey Mohan – you can check out the exact versions of the libraries used in the article by having a look at the actual project code – over on github.
Hope that helps. Cheers,
Eugen.

znogger
Guest

True, but a SSL connection provides two benefits: encryption and verification of the endpoint. If you trust any certificate then you loose the latter benefit. The connection is still encrypted and at least a man in the middle would have KNOW that the connector accepts any certificate to do something nasty. The barrier for an attacker has been lowered significantly but there are still advantages left. It still has a security level higher than a non-SSL connection.

Eugen Paraschiv
Guest

Agreed – that particular connection has a lot more entry-points for a potential attacker. However, these connections are throw away – attacking such a connection would lead to nothing. It’s only when that’s the case that one should ignore certificates. One such usecase I had – in fact, the usecase that prompted me to look into this solution – was processing URLs to extract some data from the page (title, description).

Rich Freedman
Guest

This is a totally insecure, and therefore really bad, idea.
Typically, the reason that folks look to this approach is that they’re using self-signed certificates.
The proper way to handle this situation is to create a custom trust store that trusts the self-signed cert and it’s CA.
For an example of how to do this the right way, see http://blog.chariotsolutions.com/2013/01/https-with-client-certificates-on.html

Eugen Paraschiv
Guest

It is definitely not secure as it simply configures the HttpClient to ignore certificate checking (which the article does state at the very beginning). That being said, I found there are valid usecases for such a strategy – one being heavy data analysis of large number of URLs – some of which unfortunately do use HTTPS without a valid certificate chain. I will try to make it even more clear in the conclusion of the article – thanks for pointing it out.
Eugen.

znogger
Guest
Hi Baeldung, You use Apache HttpClient rather than what comes by default with the JDK. That choice is yours. But I think you should at least begin your article by telling WHY you’ve made this choice. I’ve actually met programmers who thought that they HAD to bring in Apache’s HttpClient in order to do any kind of http client stuff. There is nothing in what you do here that cannot be done with standard JDK classes. This is not to say that Apache HttpClient did not have its time and (some will argue) still very much has its time. The… Read more »
Eugen Paraschiv
Guest
Thanks for the interesting feedback. This is definitely just one solution to the problem – there are many other valid ones. My own personal preference is for the Apache client simply because I find it has a nicer API than the JDK classes. Another advantage is that it doesn’t have a multi-year release schedule – if you need something changed in the JDK classes, there isn’t much chance of that happening any time soon (or at all), whereas if you need a change in the Apache HTTP client, you can either suggest it or contribute it yourself. Granted, that may… Read more »
Ivan Brencsics
Guest

Hi Eugen. Is there an example somewhere how to use HttpClient in the case, when it needs to communicate with multiple destinations, all having different SSL settings? Each destination has its own truststore and keystore (we are using SSL with client certificate all the time).

Now we are using one HttpClient/PoolingHttpClientConnectionManager per destination, and configure the SSL by providing a Registry to PoolingHttpClientConnectionManager. But as HttpClient is intended for multiple destination, I hope there is a way to have different SSLSocketFactories for different destination inside a single PoolingHttpClientConnectionManager.

Eugen Paraschiv
Guest

It’s very likely that this is supported by the HttpClient, but I personally haven’t explored it. The HttpClient mailing list might be a good place to ask.

Santhosh Baby
Guest

Need a help
Im trying to authenticate ssl for https request .. based on your code for httpclient version 4.5 it worked only if my request uses https://localhost:443 (default port 443) .
my question is how to give the custom port tried searching every where didnt find a solution. please provide me help for httpclient version 4.5.
I tried using https://localhost:9002 directly but still it gets remapped to .443 port.. how do i solve this

Eugen Paraschiv
Guest

Hey Santhosh – before 4.3, there was a clear way to specify the port by registering a Scheme – and I’m sure that was replaced by an equality flexible API, but I haven’t looked at what that is recently.
You can start from the example in that test (in the Github project) and then follow the JavaDocs to see exactly how to replace that Scheme. Cheers,
Eugen.

wpDiscuz