sslhttpsurlconnectionsslcontext

Initializing SSLContext with KeyManager and TrustManager as null is harmful? Does it still do sslhandshakes?


I am very new to work in SSL Certificates, in java. By default java8 does TLSv1.2, but for some reasons, the app that i work on needs to set SSLcontext to TLSv1.2 explicitly. Here i found a steps clear. But it requires an array of KeyManager and TrustManager which looks more time for me to understand what and how it works. Sure i will learn it, But for a quick solution i use the below code and it works. But is this harmful? Does it still do SSLHandshakes and creates a secure communication?

   SSLContext sc = SSLContext.getInstance("TLSv1.2");
   sc.init(null, null, new java.security.SecureRandom());
   HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 

Solution

  • There is not point in initializing an SSLContext without truststore or keystore managers. The main reason for using HTTPS connection is because of its SSL/TLS connection which is much more secured due to its enhanced security.

    With that being said, the java doc clearly mentions either of the first two parameters has to be set.