Trust all certificates with CXF

In development environments it is handy if CXF soap calls over HTTPS don't complain about invalid certificates. In https.get java code this is done with

TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
   public X509Certificate[] getAcceptedIssuers() {
      return null;

   public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

   public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
} };

SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new SecureRandom());

And for the hostname checking

HostnameVerifier hostnameVerifier = new HostnameVerifier() {
   public boolean verify(String hostname, SSLSession session) {
      return true;

After this any certificate for any host is accepted

URL url = new URL("https://localhost");
URLConnection connection = url.openConnection();
InputStream inputStream = connection.getInputStream();
InputStreamReader reader = new InputStreamReader(inputStream);
while (true) {
   int ch =;
   if (ch == -1) break;

But CXF by default overrides this and so it should be informed to use the defaults.

Client client = ClientProxy.getClient(port);
HTTPConduit conduit = (HTTPConduit)client.getConduit();
TLSClientParameters tlsParams = new TLSClientParameters();

Note: Don't do this in production. With this code, Man-In-The-Middle attacks are easy to do and so the connection can't be trusted anymore!!!