Indeed. To add insult to injury, Java's handling of SSL trust verification is a complex beast that is hard to get right.
To mitigate the problem at least a little, you have to jump through hoops. <shamelessplug>I had to write my own (MIT licensed) lib to allow for SSH-style "ask on first use" behavior, which I needed for an XMPP client: https://github.com/ge0rg/memorizingtrustmanager </shamelessplug>
To mitigate the problem at least a little, you have to jump through hoops. <shamelessplug>I had to write my own (MIT licensed) lib to allow for SSH-style "ask on first use" behavior, which I needed for an XMPP client: https://github.com/ge0rg/memorizingtrustmanager </shamelessplug>