By default the Spring RestTempalte and the swagger OpenAPI client does an SSL check. This is usually not required on the test system, as so the goal is to remove the SSL check from the Spring Boot Rest Template.

Remote host closed connection during handshake; nested exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

RestTemplate

@Bean
public RestTemplate restTemplate() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
    final RestTemplate restTemplate = new RestTemplate(sslFactory());
    return restTemplate;
}

@Bean
public HttpComponentsClientHttpRequestFactory sslFactory() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
    final TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

    final SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                    .loadTrustMaterial(null, acceptingTrustStrategy)
                    .build();

    final SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

    final CloseableHttpClient httpClient = HttpClients.custom()
                    .setMaxConnPerRoute(250)
                    .setMaxConnTotal(250)
                    .setSSLSocketFactory(csf)
                    // during the SSL check we have also the verification of the host name,
                    // this can be skipped to like this:
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                    .build();

    final HttpComponentsClientHttpRequestFactory requestFactory =
                    new HttpComponentsClientHttpRequestFactory();

    requestFactory.setHttpClient(httpClient);

    return requestFactory;
}

Apache HTTP Client pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
</dependency>

Swagger OpenAPI Client

Furthermore sometimes it is required to remove the SSL check from the OpenAPI Swagger ApiClient.

Use the Spring RestTemplate for Swagger Client

Add the following flag: -Dio.swagger.parser.util.RemoteUrl.trustAll=true 

Configure Swagger Client

// If a using spring rest template assign here the RestTemplate
final XyzApi result = new XyzApi(new ApiClient(restTemplate));

<plugin>
    <groupId>org.openapitools</groupId>
    <artifactId>openapi-generator-maven-plugin</artifactId>
    <executions>
        <execution>
            <id>xyz-client</id>
          <goals>
            <goal>generate</goal>
          </goals>
          <configuration>
          	    <!-- use Spring RestTemaplte, optional -->
                <library>resttemplate</library>
	            <!-- skip SSL check -->
                <environmentVariables>
                    <io.swagger.parser.util.RemoteUrl.trustAll>true</io.swagger.parser.util.RemoteUrl.trustAll>
                </environmentVariables>

Links

• https://pragmaticintegrator.wordpress.com/2017/08/13/small-hack-to-avoid-ssl-validation-in-spring-resttemplate/
• http://progressivecoder.com/avoid-ssl-validation-spring-boot-resttemplate/
• https://dev.to/mnpaa/disable-skip-ssl-validation-in-springboot-resttemplate-1ec2
• https://github.com/swagger-api/swagger-codegen/wiki/FAQ#is-there-a-way-to-disable-certificate-verification

Often we want to connect to create a secure SSL connection to an HTTPs endpoint which is secured by a self-signed Certificate. If we do so just with a simple call we usually face an nice exception like:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479)
	... 47 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 53 more

Solution

Often I see that either somebody uses an trust all or just overwrites the default Socket Factory (HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory())).  This is maybe okay for just a test but should be used in production-ready code.

Overall it is simple to fix it. We just need to know how the stuff works. In short, we have usually always:

• SSLSocketFactory — creates the Socket connection in case of an SSL connection
• SSLContext — responsible for the verification of the certificate

Export Certificate

First, we need to get the certificate. Either use Firefox to download it or the command line:

openssl s_client -connect google.de:443 -showcerts

The pem file is here e.g.:

-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

Create SSLContext including the Certificate

You can either import this pem file into your trust store or just create the trust store using the pem on the fly:

public static SSLContext buildSslContext(InputStream... inputStreams) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
  X509Certificate cert;
  KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
  trustStore.load(null);

  for (InputStream inputStream : inputStreams) {
    try {
      CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
      cert = (X509Certificate)certificateFactory.generateCertificate(inputStream);
    } finally {
      IOUtils.closeQuietly(inputStream);
    }
    String alias = cert.getSubjectX500Principal().getName();
    trustStore.setCertificateEntry(alias, cert);
  }

  TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
  tmf.init(trustStore);
  TrustManager[] trustManagers = tmf.getTrustManagers();
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(null, trustManagers, null);

  return sslContext;
}

Put the SSLSocketFactory together

I assume the pem file is in the source folder here, for maven src/main/resources.

SSLContext sslContext = CryptoUtil.buildSslContext(
  this.getClass().getResourceAsStream("/my-cert.pem"));
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

Now we have the SSLSocketFactory, lets put it to use.

Use the SSLConnectionSocketFactory

Here I will use the created socket factory to configure the Apache HTTP client and use it again in the Spring RestTemplate:

// this two lines are just repeated from above
SSLContext sslContext = CryptoUtil.buildSslContext(this.getClass().getResourceAsStream("/beta-comfylight-cert.pem"));
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

// here we create the Http Client using our SSL Socket Factory and so trust relation
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);

// create the spring REST Template using our apache HTTP client
RestTemplate restTemplate = new RestTemplate(requestFactory);

Summary

What have we achieved now?

• We have an SSL Socket Factory which just trust our „server“ / „certificate“
• We haven’t overwritten any default socket factory in the application, which could cause problems in other subsystems as we then just trust „us“
• We haven’t used a trust all, which would be fine for a test but would render the SSL encryption useless in production (man in the middle attack…)