Friday, November 18, 2011

Defeating SSL certificate validation in Java

This post is a hack. You have been warned.

My employer swaps out SSL certificates traversing the corporate firewall. It is a financial firm with regulatory responsibilities that require monitoring all traffic leaving the company, including encrypted traffic.

One side effect is trouble with well-meaning programs which validate SSL certificates before trusting an encrypted connection. These validations fail using the self-signed replacement certificate.

Maven is such a tool:

[WARNING] Could not transfer metadata com.devspan.vendor.envjs:envjs-rhino/maven-metadata.xml from/to sonatype-oss (https://oss.sonatype.org/content/groups/public): Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The remark about "PKIX path building failed" is characteristic of the probelm.

There is lots of good advice on fixing this correctly, say, here, here or here. But none of them work just now; I cannot edit the locked-down trust store for Java, it does not already contain the aforementioned replacement certificate, and I do not want to build a custom Maven to work around the problem.

Enter the hack.

$ mvn -Djavax.net.ssl.trustStore=/dev/null package

2 comments:

Marc Dutoo said...

Hi

I get the same "PKIX" error when running Maven on Cygwin and trying to get artefacts from an HTTPS repository (cacerts can't be found somehow because of the Cygwin & Java setup). So I was delighted when I found your blog, and I very much wanted it to work, alas to no avail :

[WARNING] repository metadata for: 'snapshot org.ow2.frascati:frascati-assembly-factory:1.5-SNAPSHOT' could not be retrieved from repository: frascati-repo due to an error: Error transferring file: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I ended up just downloading it using Maven on Eclipse.

Brian Oxley said...

@Marc - Just to be clear, my hack is for UNIX/Linux/Mac.