[JBoss JIRA] (JBIDE-14768) Inform users about invalid SSL certificates and allow them to accept/refuse them
by Andre Dietisheim (JIRA)
Andre Dietisheim created JBIDE-14768:
----------------------------------------
Summary: Inform users about invalid SSL certificates and allow them to accept/refuse them
Key: JBIDE-14768
URL: https://issues.jboss.org/browse/JBIDE-14768
Project: Tools (JBoss Tools)
Issue Type: Enhancement
Components: openshift
Affects Versions: 4.1.0.Beta2
Reporter: Andre Dietisheim
Assignee: Andre Dietisheim
Fix For: 4.1.x
The openshift-java-client currently disables the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:
{code:title=UrlConnectionHttpClient}
private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
if (isHttps(url)
&& !doSSLChecks) {
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
setPermissiveSSLSocketFactory(httpsConnection);
}
private boolean isHttps(URL url) {
return "https".equals(url.getProtocol());
}
/**
* Sets a trust manager that will always trust.
* <p>
* TODO: dont swallog exceptions and setup things so that they dont disturb other components.
*/
private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
} catch (KeyManagementException e) {
// ignore
} catch (NoSuchAlgorithmException e) {
// ignore
}
}
private static class PermissiveTrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
}
private static class NoopHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
}
{code}
We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14768) Inform users about invalid SSL certificates and allow them to accept/refuse them
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14768?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14768:
-------------------------------------
Description:
In JBIDE-10447 the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:
{code:title=UrlConnectionHttpClient}
private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
if (isHttps(url)
&& !doSSLChecks) {
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
setPermissiveSSLSocketFactory(httpsConnection);
}
private boolean isHttps(URL url) {
return "https".equals(url.getProtocol());
}
/**
* Sets a trust manager that will always trust.
* <p>
* TODO: dont swallog exceptions and setup things so that they dont disturb other components.
*/
private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
} catch (KeyManagementException e) {
// ignore
} catch (NoSuchAlgorithmException e) {
// ignore
}
}
private static class PermissiveTrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
}
private static class NoopHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
}
{code}
We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog
was:
The openshift-java-client currently disables the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:
{code:title=UrlConnectionHttpClient}
private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
if (isHttps(url)
&& !doSSLChecks) {
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
setPermissiveSSLSocketFactory(httpsConnection);
}
private boolean isHttps(URL url) {
return "https".equals(url.getProtocol());
}
/**
* Sets a trust manager that will always trust.
* <p>
* TODO: dont swallog exceptions and setup things so that they dont disturb other components.
*/
private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
} catch (KeyManagementException e) {
// ignore
} catch (NoSuchAlgorithmException e) {
// ignore
}
}
private static class PermissiveTrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
}
}
private static class NoopHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession sslSession) {
return true;
}
}
{code}
We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog
> Inform users about invalid SSL certificates and allow them to accept/refuse them
> ---------------------------------------------------------------------------------
>
> Key: JBIDE-14768
> URL: https://issues.jboss.org/browse/JBIDE-14768
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Fix For: 4.1.x
>
>
> In JBIDE-10447 the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:
> {code:title=UrlConnectionHttpClient}
> private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
> HttpURLConnection connection = (HttpURLConnection) url.openConnection();
> if (isHttps(url)
> && !doSSLChecks) {
> HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
> httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
> setPermissiveSSLSocketFactory(httpsConnection);
> }
> private boolean isHttps(URL url) {
> return "https".equals(url.getProtocol());
> }
> /**
> * Sets a trust manager that will always trust.
> * <p>
> * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
> */
> private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
> try {
> SSLContext sslContext = SSLContext.getInstance("SSL");
> sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
> SSLSocketFactory socketFactory = sslContext.getSocketFactory();
> ((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
> } catch (KeyManagementException e) {
> // ignore
> } catch (NoSuchAlgorithmException e) {
> // ignore
> }
> }
> private static class PermissiveTrustManager implements X509TrustManager {
> public X509Certificate[] getAcceptedIssuers() {
> return null;
> }
> public void checkServerTrusted(X509Certificate[] chain,
> String authType) throws CertificateException {
> }
> public void checkClientTrusted(X509Certificate[] chain,
> String authType) throws CertificateException {
> }
> }
> private static class NoopHostnameVerifier implements HostnameVerifier {
> public boolean verify(String hostname, SSLSession sslSession) {
> return true;
> }
> }
> {code}
> We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14767?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14767:
-------------------------------------
Description:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
!ssl-handshake-error.png!
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
was:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
> openshift-java-client: remove code that disables SNI checks with JDK7
> ---------------------------------------------------------------------
>
> Key: JBIDE-14767
> URL: https://issues.jboss.org/browse/JBIDE-14767
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Priority: Critical
> Fix For: 4.1.0.Beta2
>
> Attachments: ssl-handshake-error.png
>
>
> The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
> *javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
> !ssl-handshake-error.png!
> The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
> {code: title=UrlConnectionHttpClient}
> // JDK7 bug workaround
> System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
> {code}
> This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
> So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
> {code}
> -Djsse.enableSNIExtension=false
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14767?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14767:
-------------------------------------
Description:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
!ssl-handshake-error.png!
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
We have to remove the above code that set the system property.
was:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
!ssl-handshake-error.png!
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
> openshift-java-client: remove code that disables SNI checks with JDK7
> ---------------------------------------------------------------------
>
> Key: JBIDE-14767
> URL: https://issues.jboss.org/browse/JBIDE-14767
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Priority: Critical
> Fix For: 4.1.0.Beta2
>
> Attachments: ssl-handshake-error.png
>
>
> The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
> *javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
> !ssl-handshake-error.png!
> The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
> {code: title=UrlConnectionHttpClient}
> // JDK7 bug workaround
> System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
> {code}
> This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
> So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
> {code}
> -Djsse.enableSNIExtension=false
> {code}
> We have to remove the above code that set the system property.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14767?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14767:
-------------------------------------
Description:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
was:
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...) but it has no effect since it is not the first one to do SSL connections in Eclipse:
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
> openshift-java-client: remove code that disables SNI checks with JDK7
> ---------------------------------------------------------------------
>
> Key: JBIDE-14767
> URL: https://issues.jboss.org/browse/JBIDE-14767
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Priority: Critical
> Fix For: 4.1.0.Beta2
>
> Attachments: ssl-handshake-error.png
>
>
> The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
> *javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
> The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
> {code: title=UrlConnectionHttpClient}
> // JDK7 bug workaround
> System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
> {code}
> This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
> So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
> {code}
> -Djsse.enableSNIExtension=false
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14767?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14767:
-------------------------------------
Attachment: ssl-handshake-error.png
> openshift-java-client: remove code that disables SNI checks with JDK7
> ---------------------------------------------------------------------
>
> Key: JBIDE-14767
> URL: https://issues.jboss.org/browse/JBIDE-14767
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Priority: Critical
> Fix For: 4.1.0.Beta2
>
> Attachments: ssl-handshake-error.png
>
>
> The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
> *javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
> The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...):
> {code: title=UrlConnectionHttpClient}
> // JDK7 bug workaround
> System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
> {code}
> This "fix" is very bad since it turns these checks off in the whole JVM. Furthermore it has no effects since it would only affect SSL libraries that are loaded after that system property was set.
> So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
> {code}
> -Djsse.enableSNIExtension=false
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
Andre Dietisheim created JBIDE-14767:
----------------------------------------
Summary: openshift-java-client: remove code that disables SNI checks with JDK7
Key: JBIDE-14767
URL: https://issues.jboss.org/browse/JBIDE-14767
Project: Tools (JBoss Tools)
Issue Type: Enhancement
Components: openshift
Affects Versions: 4.1.0.Beta2
Reporter: Andre Dietisheim
Assignee: Andre Dietisheim
Fix For: 4.1.0.Beta2
The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
*javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...) but it has no effect since it is not the first one to do SSL connections in Eclipse:
{code: title=UrlConnectionHttpClient}
// JDK7 bug workaround
System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
{code}
So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
{code}
-Djsse.enableSNIExtension=false
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months
[JBoss JIRA] (JBIDE-14767) openshift-java-client: remove code that disables SNI checks with JDK7
by Andre Dietisheim (JIRA)
[ https://issues.jboss.org/browse/JBIDE-14767?page=com.atlassian.jira.plugi... ]
Andre Dietisheim updated JBIDE-14767:
-------------------------------------
Priority: Critical (was: Major)
> openshift-java-client: remove code that disables SNI checks with JDK7
> ---------------------------------------------------------------------
>
> Key: JBIDE-14767
> URL: https://issues.jboss.org/browse/JBIDE-14767
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.1.0.Beta2
> Reporter: Andre Dietisheim
> Assignee: Andre Dietisheim
> Priority: Critical
> Fix For: 4.1.0.Beta2
>
>
> The UrlConnectionHttpClient tries to disable SNI checks that cause the HttpUrlConnection when handshaking SSL with hosts that dont have a valid hostname/alias:
> *javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name* (JBIDE-14760)
> The openshift-java-client currently sets the system property (https://github.com/adietish/openshift-java-client/blob/master/src/main/ja...) but it has no effect since it is not the first one to do SSL connections in Eclipse:
> {code: title=UrlConnectionHttpClient}
> // JDK7 bug workaround
> System.setProperty(SYSPROP_ENABLE_SNI_EXTENSION, "false");
> {code}
> So the only valid fix in Eclipse is to either connect to OpenShift Enterprise instances via IP-address or to turn SNI-checks off globally in *eclipse.ini/jbdevstudio.ini*:
> {code}
> -Djsse.enableSNIExtension=false
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 10 months