Wednesday, March 08, 2006

Hacking your way to smoother SSL testing

I referred to this post (http://www.javaworld.com/javatips/jw-javatip115.html) which has 2 cool files (DummySSLSocketFactory.java & DummyTrustManager.java) that enable an application to accept all certificates WITHOUT validation, even if the certificate name differs from the server name. At your application, add the following statement (preferably just as the program starts):

Security.setProperty( "ssl.SocketFactory.provider", "DummySSLSocketFactory");

Yeah, this is coooool....

But unfortunately, this doesn't work in JDK 1.4.2. Excerpt from http://java.sun.com/j2se/1.4.2/docs/relnotes/features.html#security:

The JSSE implementation provided in this release includes strong cipher suites. However, due to U.S. export control restrictions, this release does not allow alternate "pluggable" SSL/TLS implementations to be used.

Aiii, need to do those keytool import/export/genkey stuff.....

But anyway, using JDK 1.5, it works! But I wonder, has US export restrictions got lax??? Kekekeke...but don't bother doing this in your startup script:

-Dssl.SocketFactory.provider=DummySSLSocketFactory

Coz it doesn't work!!! Stop wasting your time :p

No comments: