ssl - SSLSocketFactory in java

Question

What role does SSLSocketFactory class in java play when using HttpsURLConnection? The java docs is not of much help.

Are there any ways to bind the keystore and the truststore to with the sslsocketfactory object, to make it point to the keystore and the truststore?

Otherwise how will the connection know the location of the keystore and the truststore(I don't want to use java System Properties)?

Answer 1

It is done through SSLContext. You init one and then use it's socket factory to create HttpsConnection instances.

Here is rough example of how I manage this in my application:

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(myKeyManagerFactory.getKeyManagers(), myTrustManagerArray, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

after that your openConnection() calls for https sites will use the sslsocketfactory you initialized here.

Here code for TrustManager to use in your ssl context wich will trust all certificates:

TrustManager[] myTrustManagerArray = new TrustManager[]{new TrustEveryoneManager()};

class TrustEveryoneManager implements X509TrustManager {
    public void checkClientTrusted(X509Certificate[] arg0, String arg1){}
    public void checkServerTrusted(X509Certificate[] arg0, String arg1){}
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Upd from Bruno: beware, trusting any certificate, however convenient it is, makes the connection vulnerable to MITM attacks