Do not use ‘useRelaxedHTTPSValidation’

Using RestAssured’s ‘useRelaxedHTTPSValidation’ setting can potentially hide server certificate related issues, missing out on critical mistakes. Use the following code to explicitly allow any ‘difficult’ certificates and add additional certificate validation instead.

X509Certificate certificate = (X509Certificate) CertificateFactory
.getInstance("X.509")
.generateCertificate(TestData.getInstance().getFileFromResourceAsStream("a_certificate.der"));

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
keyStore.setCertificateEntry("server", certificate);

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

// SSLSocketFactory is deprecated, but still used by RestAssured.
SSLSocketFactory sslSocketFactory = new SSLSocketFactory(sslContext);
RestAssured.config = RestAssured.config().sslConfig(sslConfig().with().sslSocketFactory(sslSocketFactory));