A sample how to configure Apache HTTPClient (4.+) to accept SSL connections *without* certificate and hostname validation

InsecureHttpClient.java

package net.hausherr.sample;

import org.apache.http.client.CookieStore;
import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.conn.routing.HttpRoutePlanner;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.cookie.Cookie;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.protocol.HttpContext;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.apache.log4j.Logger;

/**
 * <p>Sample factory for building a HttpClient that configures a HttpClient 
 * instance to store cookies and to accept SSLcertificates without HostName validation.</p>
 * <p>You obviously should not use this class in production, but it may come handy when 
 * developing with internal Servers using self-signed certificates.</p>
 */
public class InsecureHttpClientFactory {
    protected Logger log = Logger.getLogger(this.getClass());
    public DefaultHttpClient build HttpClient() {
		hc = new DefaultHttpClient();
		configureProxy();
		configureCookieStore();
		configureSSLHandling();
		return hc;
	}
       
        private void configureProxy() {
                HttpHost proxy = new HttpHost("proxy.example.org", 3182);
                hc.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
        }

	private void configureCookieStore() {
		CookieStore cStore = new BasicCookieStore();
		hc.setCookieStore(cStore);
	}

	private void configureSSLHandling() {
		Scheme http = new Scheme("http", 80, PlainSocketFactory.getSocketFactory());
		SSLSocketFactory sf = buildSSLSocketFactory();
		Scheme https = new Scheme("https", 443, sf);
		SchemeRegistry sr = hc.getConnectionManager().getSchemeRegistry();
		sr.register(http);
		sr.register(https);
	}

	private SSLSocketFactory buildSSLSocketFactory() {
		TrustStrategy ts = new TrustStrategy() {
			@Override
			public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
				return true; // heck yea!
			}
		};

		SSLSocketFactory sf = null;

		try {
			/* build socket factory with hostname verification turned off. */
			sf = new SSLSocketFactory(ts, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
		} catch (NoSuchAlgorithmException e) {
			log.error("Failed to initialize SSL handling.", e);
		} catch (KeyManagementException e) {
			log.error("Failed to initialize SSL handling.", e);
		} catch (KeyStoreException e) {
			log.error("Failed to initialize SSL handling.", e);
		} catch (UnrecoverableKeyException e) {
			log.error("Failed to initialize SSL handling.", e);
		}

		return sf;
	}

}

Thanks! :)
Excellent example, just what I was looking for.

P.S. configureProxy() seems to be missing though...

I added a simple proxy configuration sample.

By the way, the documentation and tutorial at the HttpClient website is an extremly valuable resource. I usually find a solution to a particular problem by looking there. This gist is mostly a combination of multiple snippets found there.

Looks good - however most of these classes have been deprecated in 4.3.x - so the example is a bit out of date.
Cheers,
Eugen.

+1 @eugenp. @jabbrwcky do you work on a 4.3.x example ?

why the file is named InsecureHttpClient.java while you are defining InsecureHttpClientFactory ?

insecure because this not the recommended way to skip certificates for production environment. this is good for development and testing environments.