[JBoss JIRA] (JBIDE-19594) SSL callback: provide meaningful hostname verifier, stop always accepting hostnames

Wednesday, 18 April 2018

     [
https://issues.jboss.org/browse/JBIDE-19594?page=com.atlassian.jira.plugi...
]

Jeff MAURY updated JBIDE-19594:
-------------------------------
    Fix Version/s: 4.6.x
                       (was: 4.5.x)

...
 SSL callback: provide meaningful hostname verifier, stop always
accepting hostnames
 -----------------------------------------------------------------------------------

                 Key: JBIDE-19594
                 URL: https://issues.jboss.org/browse/JBIDE-19594
             Project: Tools (JBoss Tools)
          Issue Type: Enhancement
          Components: openshift
    Affects Versions: 4.3.0.Alpha2
            Reporter: Andre Dietisheim
              Labels: connection
             Fix For: 4.6.x

 We're currently using an SSL callback that will allow users to get informed and act
upon "faulty" certificates (ex. self-signed ones) and mismatches btw. the host
we're talking to and the one that is referenced in the ssl certificate:
 {code:title=com.openshift.client.IHttpClient.ISSLCertificateCallback}
 public interface ISSLCertificateCallback {
 		public boolean allowCertificate(X509Certificate[] chain);
 		public boolean allowHostname(String hostname, SSLSession session); 
 	}
 {code}
 The callback that we are using in JBT is presenting a dialog in case the jdk cannot
verify the certificate (ex. self signed certificates) and allows the user to accept/deny
it.
 In case the jdk cannot verify the hostname (the host we're talking to is not matching
the host that's referenced in the certificate) we're currently always accepting
the hostname:

{code:title=org.jboss.tools.openshift.express.internal.ui.wizard.connection.SSLCertificateCallback}
 	@Override
 	public boolean allowHostname(String hostname, SSLSession sslSession) {
 		return true;
 	}
 {code}
 We should find a meaningfull implementation of such a verification that does not simply
always accept it. A first idea would be to present the mismatch to the user and allow it
to accept/refute it.
 This issue came up JBIDE-19581 when there was no callback installed which made the
hostname verification fail as in jdk. When fetching the quickstarts OSJC is reaching out
to https://hub.openshift.com (https://hub.openshift.com/api/v1/quickstarts/promoted.json)
while the ssl certificate presented only covers openshift.redhat.com:
 {code}
 * Server certificate:
 * 	subject: CN=openshift.redhat.com,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
 * 	start date: Jul 23 00:00:00 2014 GMT
 * 	expire date: Jul 27 12:00:00 2017 GMT
 * 	common name: openshift.redhat.com
 * 	issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert
Inc,C=US
 {code} 

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006