Friday, November 18, 2011

Defeating SSL certificate validation in Java

This post is a hack. You have been warned.

My employer swaps out SSL certificates traversing the corporate firewall. It is a financial firm with regulatory responsibilities that require monitoring all traffic leaving the company, including encrypted traffic.

One side effect is trouble with well-meaning programs which validate SSL certificates before trusting an encrypted connection. These validations fail using the self-signed replacement certificate.

Maven is such a tool:

[WARNING] Could not transfer metadata com.devspan.vendor.envjs:envjs-rhino/maven-metadata.xml from/to sonatype-oss (https://oss.sonatype.org/content/groups/public): Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The remark about "PKIX path building failed" is characteristic of the probelm.

There is lots of good advice on fixing this correctly, say, here, here or here. But none of them work just now; I cannot edit the locked-down trust store for Java, it does not already contain the aforementioned replacement certificate, and I do not want to build a custom Maven to work around the problem.

Enter the hack.

$ mvn -Djavax.net.ssl.trustStore=/dev/null package
Post a Comment