I'm trying to implement an SSL connection with a custom protocol above it, not HTTPS. I don't want to use certs because I don't want the users to have to deal with them. So I created essentially a dummy cert on the server, and I'd like to find a way to tell the client not to validate the cert.
I found the following code from the Java Developer's Almanac, which shows how to do this for an HTTPS connection. Is there a way to do this for any SSL/TLS connection that doesn't use HTTPS? Or do I need to have all the users install a cert in the client's trust store?
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}