Java 7 (and above) You can implicitly use the X509ExtendedTrustManager introduced in Java 7 using this (see this answer: SSLParameters sslParams = new SSLParameters(); sslParams.setEndpointIdentificationAlgorithm(“HTTPS”); sslSocket.setSSLParameters(sslParams); // also works on SSLEngine Android I’m less familiar with Android, but Apache HTTP Client should be bundled with it, so it’s not really an additional library. As such, … Read more
I think you want to specify the truststore: java -Djavax.net.ssl.trustStore=/home/gene/mycacerts … Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacerts in the $JAVA_HOME/jre/lib/security/ directory (although you’d still have to do that each time a JDK got installed/reinstalled). Sun’s JSSE looks for $JAVA_HOME/jre/lib/security/jssecacerts before $JAVA_HOME/jre/lib/security/cacerts. See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager
Rather than mixing runtime and policy file versions, you should use the policy files for Java 7.
You have a typo – it is trustStore. Apart from setting the variables with System.setProperty(..), you can also use -Djavax.net.ssl.keyStore=path/to/keystore.jks
Raz’s answer was a great start, but wasn’t quite flexible enough to meet my needs. The MultiStoreKeyManager explicitly checks the custom KeyManager and then falls back to the jvm KeyManager if an operation fails. I actually want to check jvm certs first; the best solution should be able to handle either case. Additionally, the answer … Read more
From Java™ Secure Socket Extension (JSSE) Reference Guide, TrustManagerFactory uses the following steps to try to find trust material: system property javax.net.ssl.trustStore java-home/lib/security/jssecacerts java-home/lib/security/cacerts (shipped by default) I think this is based on convention over configuration concept. Without extra coding effort, cacert will be used. For extra private CA/Signing certs, a developer either can use … Read more
On Java 1.8 default TLS protocol is v1.2. On Java 1.6 and 1.7 default is obsoleted TLS1.0. I get this error on Java 1.8, because url use old TLS1.0 (like Your – You see ClientHello, TLSv1). To resolve this error You need to use override defaults for Java 1.8. System.setProperty(“https.protocols”, “TLSv1”); More info on the … Read more
I ended up using Jsch- it was pretty straightforward, and seemed to scale up pretty well (I was grabbing a few thousand files every few minutes).
Finally solved it ;). Got a strong hint here (Gandalfs answer touched a bit on it as well). The missing links was (mostly) the first of the parameters below, and to some extent that I overlooked the difference between keystores and truststores. The self-signed server certificate must be imported into a truststore: keytool -import -alias … Read more
There are a few more types than what’s listed in the standard name list you’ve linked to. You can find more in the cryptographic providers documentation. The most common are certainly JKS (the default) and PKCS12 (for PKCS#12 files, often with extension .p12 or sometimes .pfx). JKS is the most common if you stay within … Read more