How to bypass SSL certificate checking in Java?

Image may be NSFW.
Clik here to view.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that are commonly used to secure communication over the internet. When a client (e.g. a web browser) communicates with a server using SSL/TLS, the server presents a certificate that the client can use to verify the server’s identity. If the certificate is not valid, the client will usually show a warning and refuse to communicate with the server.

However, there may be times when you need to bypass this certificate validation, for example during testing or when connecting to an internal server with a self-signed certificate. In this post, we will show you how to disable SSL certificate validation in Java.

Why bypassing SSL certificate validation is not recommended

Bypassing SSL certificate validation undermines the security of SSL/TLS encryption. It allows you to connect to a server that could be impersonating another server, which could allow an attacker to intercept and tamper with your communication. Therefore, it is not recommended to disable certificate validation in production systems.

How to bypass SSL certificate validation in Java

Here is an example code that demonstrates how to bypass SSL certificate validation in Java:

CrunchifyBypassSSLCert.java

package crunchify.com.java.tutorials;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.cert.X509Certificate;

/**
 * @author Crunchify.com
 * Version: 2.1
 * How to bypass SSL certificate checking in Java?
 *
 */

public class CrunchifyBypassSSLCert {

	public static void main(String[] args) {
		crunchifyDisableCertificateValidation();
		crunchifyTestConnection("https://crunchify.com");
	}
	public static void crunchifyDisableCertificateValidation() {
		try {

			// SSLContext: Instances of this class represent a secure socket protocol implementation
			// which acts as a factory for secure socket factories or SSLEngines.
			// This class is initialized with an optional set of key and trust managers and source of secure random bytes.
			SSLContext crunchifySSLC = SSLContext.getInstance("TLS");
			TrustManager[] trustManagerArray = { new NullX509TrustManager() };
			crunchifySSLC.init(null, trustManagerArray, null);
			HttpsURLConnection.setDefaultSSLSocketFactory(crunchifySSLC.getSocketFactory());

		} catch (Exception e) {
			e.printStackTrace();
		}
	}

	private static class NullX509TrustManager implements X509TrustManager {
		public void checkClientTrusted(X509Certificate[] chain, String authType) {
			// do nothing
		}

		public void checkServerTrusted(X509Certificate[] chain, String authType) {
			// do nothing
		}

		public X509Certificate[] getAcceptedIssuers() {
			return new X509Certificate[0];
		}
	}


	public static void crunchifyTestConnection(String crunchifyURL) {
		try {
			URL crunchifySiteURL = new URL(crunchifyURL);

			// HttpsURLConnection extends HttpURLConnection with support for https-specific features.
			HttpsURLConnection connection = (HttpsURLConnection) crunchifySiteURL.openConnection();
			connection.connect();

			// Abstract class for X.509 certificates.
			// This provides a standard way to access all the attributes of an X.509 certificate.
			X509Certificate[] certs = (X509Certificate[]) connection.getServerCertificates();
			for (X509Certificate cert : certs) {
				System.out.println("Here is a Certificate: " + cert.toString());
			}

			BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));
			String inputLine;

			System.out.println("Crunchify Response Starts: ");
			while ((inputLine = in.readLine()) != null) {
				System.out.println(inputLine);
			}
			in.close();

			System.out.println("Crunchify Response Code: " + connection.getResponseCode());
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

The code creates a custom TrustManager implementation called NullX509TrustManager that simply returns an empty array of accepted issuers.

The disableCertificateValidation method sets this custom trust manager as the default for the HttpsURLConnection class.

IntelliJ IDEA Console Result:

Just run above program as a Java Application and you will see result as below. Here I’m printing Certificate for site https://crunchify.com

Here is a Certificate: [
[
  Version: V3
  Subject: CN=crunchify.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US
  Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2

  Key:  Sun EC public key, 256 bits
  public x coord: 38529685942248262624712688939942529436235652555283274298255011250522606614918
  public y coord: 29334354097022760577193442773858953165938409689794173149697689580356278546401
  parameters: secp256r1 [NIST P-256,X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Fri Jul 22 19:00:00 CDT 2022,
               To: Sun Jul 23 18:59:59 CDT 2023]
  Issuer: CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US
  SerialNumber: [    03c5734c 15f2a24f a8554c49 a0935d45]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6E 04 82 01 6A   01 68 00 76 00 AD F7 BE  ...n...j.h.v....
0010: FA 7C FF 10 C8 8B 9D 3D   9C 1E 3E 18 6A B4 67 29  .......=..>.j.g)
0020: 5D CF B1 0C 24 CA 85 86   34 EB DC 82 8A 00 00 01  ]...$...4.......
0030: 82 28 D4 6A 70 00 00 04   03 00 47 30 45 02 20 19  .(.jp.....G0E. .
0040: 31 3C 0C 39 7A A9 8E 78   B6 0B B2 37 25 FE 62 23  1<.9z..x...7%.b#
0050: 53 4F 27 75 17 A7 B8 01   FB C4 E6 91 E1 CB 31 02  SO'u..........1.
0060: 21 00 B2 A2 7C 06 26 8E   72 83 02 9A 58 52 0E 31  !.....&.r...XR.1
0070: 99 6F 2C 2A 0C 34 0A B6   34 45 F1 A9 79 A2 4F B7  .o,*.4..4E..y.O.
0080: 8A DB 00 76 00 35 CF 19   1B BF B1 6C 57 BF 0F AD  ...v.5.....lW...
0090: 4C 6D 42 CB BB B6 27 20   26 51 EA 3F E1 2A EF A8  LmB...' &Q.?.*..
00A0: 03 C3 3B D6 4C 00 00 01   82 28 D4 6A 57 00 00 04  ..;.L....(.jW...
00B0: 03 00 47 30 45 02 20 5F   D6 85 1B 65 51 68 C7 BE  ..G0E. _...eQh..
00C0: 5A 77 12 47 98 93 7D F6   18 BB 5E 74 12 62 42 A5  Zw.G......^t.bB.
00D0: 38 95 64 F4 F1 8F CA 02   21 00 DD BD 79 13 78 A7  8.d.....!...y.x.
00E0: E4 A7 A1 9C 40 C2 2E E0   3E DF 16 9F 70 70 E7 A1  ....@...>...pp..
00F0: 78 01 16 3D D1 7B 1C E0   60 1E 00 76 00 B7 3E FB  x..=....`..v..>.
0100: 24 DF 9C 4D BA 75 F2 39   C5 BA 58 F4 6C 5D FC 42  $..M.u.9..X.l].B
0110: CF 7A 9F 35 C4 9E 1D 09   81 25 ED B4 99 00 00 01  .z.5.....%......
0120: 82 28 D4 6A 5B 00 00 04   03 00 47 30 45 02 21 00  .(.j[.....G0E.!.
0130: AA 7C E3 08 41 E7 3B 84   1B B8 FE 06 4B 7C 83 27  ....A.;.....K..'
0140: CF 4A 81 3F 07 D4 32 FC   69 80 22 D5 DC 06 9B D5  .J.?..2.i.".....
0150: 02 20 0B 50 38 88 53 20   A0 A6 CD 6D 88 37 7C 6D  . .P8.S ...m.7.m
0160: E2 E2 8E D9 B1 B7 16 1E   A6 EA 38 C2 D3 D7 9B 48  ..........8....H
0170: 34 3C                                              4<


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 CE 37 EA EB B0 75 0E   94 67 88 B4 45 FA D9 24  ..7...u..g..E..$
0010: 10 87 96 1F                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/CloudflareIncECCCA-3.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 77 77 77 2E 64 69 67  ..http://www.dig
0010: 69 63 65 72 74 2E 63 6F   6D 2F 43 50 53           icert.com/CPS

]]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.crunchify.com
  DNSName: crunchify.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CF 6E 31 8C 88 C5 ED 09   6D F6 97 57 CE D4 F0 EC  .n1.....m..W....
0010: B5 FD 99 1A                                        ....
]
]

]
  Algorithm: [SHA256withECDSA]
  Signature:
0000: 30 45 02 20 48 32 9D F1   A0 BA 7A 89 0A 69 0E 5A  0E. H2....z..i.Z
0010: D6 50 58 9F B4 89 A8 FF   BE A3 BF 3F 80 6E DD F2  .PX........?.n..
0020: C9 1E BB 04 02 21 00 D3   A8 8F E6 0F 23 E3 59 D7  .....!......#.Y.
0030: 60 3C 74 A7 BF F1 4D 8E   99 0D B9 85 75 15 14 DE  `<t...M.....u...
0040: 6D B4 B4 01 BB E2 6F                               m.....o

]
Here is a Certificate: [
[
  Version: V3
  Subject: CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun EC public key, 256 bits
  public x coord: 83984075730615231530440956498748499276900957075036316089284983112230089232319
  public y coord: 84720202049003273739269829519636180374924996951868121119946393481023066512343
  parameters: secp256r1 [NIST P-256,X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Mon Jan 27 06:48:08 CST 2020,
               To: Tue Dec 31 17:59:59 CST 2024]
  Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  SerialNumber: [    0a378764 5e5fb48c 224efd1b ed140c3c]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GX....T6..:
0010: B5 04 4D F0                                        ..M.
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/Omniroot2025.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.16.840.1.114412.1.2]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.3]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 CE 37 EA EB B0 75 0E   94 67 88 B4 45 FA D9 24  ..7...u..g..E..$
0010: 10 87 96 1F                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 05 24 1D DD 1B B0 2A EB   98 D6 85 E3 39 4D 5E 6B  .$....*.....9M^k
0010: 57 9D 82 57 FC EB E8 31   A2 57 90 65 05 BE 16 44  W..W...1.W.e...D
0020: 38 5A 77 02 B9 CF 10 42   C6 E1 92 A4 E3 45 27 F8  8Zw....B.....E'.
0030: 00 47 2C 68 A8 56 99 53   54 8F AD 9E 40 C1 D0 0F  .G,h.V.ST...@...
0040: B6 D7 0D 0B 38 48 6C 50   2C 49 90 06 5B 64 1D 8B  ....8HlP,I..[d..
0050: CC 48 30 2E DE 08 E2 9B   49 22 C0 92 0C 11 5E 96  .H0.....I"....^.
0060: 92 94 D5 FC 20 DC 56 6C   E5 92 93 BF 7A 1C C0 37  .... .Vl....z..7
0070: E3 85 49 15 FA 2B E1 74   39 18 0F B7 DA F3 A2 57  ..I..+.t9......W
0080: 58 60 4F CC 8E 94 00 FC   46 7B 34 31 3E 4D 47 82  X`O.....F.41>MG.
0090: 81 3A CB F4 89 5D 0E EF   4D 0D 6E 9C 1B 82 24 DD  .:...]..M.n...$.
00A0: 32 25 5D 11 78 51 10 3D   A0 35 23 04 2F 65 6F 9C  2%].xQ.=.5#./eo.
00B0: C1 D1 43 D7 D0 1E F3 31   67 59 27 DD 6B D2 75 09  ..C....1gY'.k.u.
00C0: 93 11 24 24 14 CF 29 BE   E6 23 C3 B8 8F 72 3F E9  ..$$..)..#...r?.
00D0: 07 C8 24 44 53 7A B3 B9   61 65 A1 4C 0E C6 48 00  ..$DSz..ae.L..H.
00E0: C9 75 63 05 87 70 45 52   83 D3 95 9D 45 EA F0 E8  .uc..pER....E...
00F0: 31 1D 7E 09 1F 0A FE 3E   DD AA 3C 5E 74 D2 AC B1  1......>..<^t...

]

Bypassing SSL certificate validation is not recommended for production systems because it undermines the security of SSL/TLS encryption.

However, it may be necessary for testing purposes.

The code shown in this post demonstrates how to disable certificate validation in Java, but keep in mind that this should only be used for testing purposes and not in production systems.

Image may be NSFW.
Clik here to view.

Let me know if you face any issue running this code.

The post How to bypass SSL certificate checking in Java? appeared first on Crunchify.