[jbosstools-issues] [JBoss JIRA] (JBIDE-14768) Connection dialog: Inform users about invalid SSL certificates and allow them to accept/refuse them

Andre Dietisheim (JIRA) issues at jboss.org
Wed Feb 5 15:56:28 EST 2014 

    [ https://issues.jboss.org/browse/JBIDE-14768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12941668#comment-12941668 ] 

Andre Dietisheim commented on JBIDE-14768:
------------------------------------------

[~fbricon] thanks for the input! In sake of simplicity and because I dont like too much opening dialogs on top of dialogs I'll go for #1.
                
> Connection dialog: Inform users about invalid SSL certificates and allow them to accept/refuse them 
> ----------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-14768
>                 URL: https://issues.jboss.org/browse/JBIDE-14768
>             Project: Tools (JBoss Tools)
>          Issue Type: Enhancement
>          Components: openshift
>    Affects Versions: 4.1.0.Beta2
>            Reporter: Andre Dietisheim
>            Assignee: Andre Dietisheim
>            Priority: Critical
>              Labels: connection_wizard
>             Fix For: 4.2.x
>
>         Attachments: certificate-dialog.png
>
>
> In JBIDE-10447 the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:
> {code:title=UrlConnectionHttpClient}
> private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
> 	HttpURLConnection connection = (HttpURLConnection) url.openConnection();
> 	if (isHttps(url)
> 			&& !doSSLChecks) {
> 		HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
> 		httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
> 		setPermissiveSSLSocketFactory(httpsConnection);
> 	}
> 	private boolean isHttps(URL url) {
> 		return "https".equals(url.getProtocol());
> 	}
> 	/**
> 	 * Sets a trust manager that will always trust.
> 	 * <p>
> 	 * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
> 	 */
> 	private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
> 		try {
> 			SSLContext sslContext = SSLContext.getInstance("SSL");
> 			sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
> 			SSLSocketFactory socketFactory = sslContext.getSocketFactory();
> 			((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
> 		} catch (KeyManagementException e) {
> 			// ignore
> 		} catch (NoSuchAlgorithmException e) {
> 			// ignore
> 		}
> 	}
> 	private static class PermissiveTrustManager implements X509TrustManager {
> 		public X509Certificate[] getAcceptedIssuers() {
> 			return null;
> 		}
> 		public void checkServerTrusted(X509Certificate[] chain,
> 				String authType) throws CertificateException {
> 		}
> 		public void checkClientTrusted(X509Certificate[] chain,
> 				String authType) throws CertificateException {
> 		}
> 	}
> 	private static class NoopHostnameVerifier implements HostnameVerifier {
> 		public boolean verify(String hostname, SSLSession sslSession) {
> 			return true;
> 		}
> 	}
> {code}
> We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list