[jetty-users] Trusting all certificates after upgrade to Jetty 9

[Melissa Mifsud <melissa.anne.mifsud@xxxxxxxxx>]

In a recent upgrade from Jetty 8 (8.1.8.v20121106) to Jetty 9 (9.2.13.v20150730), it seems that code for trusting all SSL certificates is no longer working.

We do not always want to trust all certificates and so cannot use the SSLContextFactory(trustAll) constructor. 

The SSL ServerConnector is set up as demonstrated in this example: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java.

After the application is up and running, there may be a specific use case in which the user will need to start trusting all certificates, in which case an all-trusting TrustManager is set up:

// Create a trust manager that does not validate certificate chains

TrustManager[] trustAllCerts = new TrustManager[]{

new X509TrustManager() {

public X509Certificate[] getAcceptedIssuers() {

return new X509Certificate[0];

}

public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {

}

public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {

}

}};

// Install the all-trusting trust manager

SSLContext sc = SSLContext.getInstance("SSL");

sc.init(null, trustAllCerts, null);

HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

// Create all-trusting host name verifier

HostnameVerifier allHostsValid = new HostnameVerifier() {

public boolean verify(String hostname, SSLSession session) {

return true;

}

};

// Install the all-trusting host verifier

HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

// set flag to true so that the process is not repeated

sslDisabled = true;

Is there something specific with this version that will cause this not to work anymore?

Thanks,

Melissa