[jbosstools-issues] [JBoss JIRA] (JBIDE-14768) Inform users about invalid SSL certificates and allow them to accept/refuse them

Andre Dietisheim (JIRA) jira-events at lists.jboss.org
Wed Jun 5 18:56:54 EDT 2013 

Andre Dietisheim created JBIDE-14768:
----------------------------------------

             Summary: Inform users about invalid SSL certificates and allow them to accept/refuse them 
                 Key: JBIDE-14768
                 URL: https://issues.jboss.org/browse/JBIDE-14768
             Project: Tools (JBoss Tools)
          Issue Type: Enhancement
          Components: openshift
    Affects Versions: 4.1.0.Beta2
            Reporter: Andre Dietisheim
            Assignee: Andre Dietisheim
             Fix For: 4.1.x


The openshift-java-client currently disables the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:

{code:title=UrlConnectionHttpClient}
private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
	HttpURLConnection connection = (HttpURLConnection) url.openConnection();
	if (isHttps(url)
			&& !doSSLChecks) {
		HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
		httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
		setPermissiveSSLSocketFactory(httpsConnection);
	}

	private boolean isHttps(URL url) {
		return "https".equals(url.getProtocol());
	}

	/**
	 * Sets a trust manager that will always trust.
	 * <p>
	 * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
	 */
	private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
		try {
			SSLContext sslContext = SSLContext.getInstance("SSL");
			sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
			SSLSocketFactory socketFactory = sslContext.getSocketFactory();
			((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
		} catch (KeyManagementException e) {
			// ignore
		} catch (NoSuchAlgorithmException e) {
			// ignore
		}
	}

	private static class PermissiveTrustManager implements X509TrustManager {

		public X509Certificate[] getAcceptedIssuers() {
			return null;
		}

		public void checkServerTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}

		public void checkClientTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}
	}

	private static class NoopHostnameVerifier implements HostnameVerifier {

		public boolean verify(String hostname, SSLSession sslSession) {
			return true;
		}
	}
{code}

We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list