gerrit-rest-java-client icon indicating copy to clipboard operation
gerrit-rest-java-client copied to clipboard

Published 20 hours ago verified publisher icon uwolfer

Cannot skip SSL certs that are signed by an untrusted authority and not self signed

Open jpopadak opened this issue 9 years ago • 4 comments

Basically need this same commit that you did for IntelliJ plugin, but for the library.

https://github.com/uwolfer/gerrit-intellij-plugin/commit/b4825726f1e2e8a24278f1428072c59fc5e3d62b

jpopadak avatar May 03 '16 18:05 jpopadak

@jpopadak: I think you can do that by adding your own HttpClientBuilderExtension like this: CertificateManagerClientBuilderExtension. Then you can pass it to GerritRestApiFactory#create(GerritAuthData, HttpClientBuilderExtension...).

Does that help? If that works, you could post your code so it would probably help others.

uwolfer avatar May 03 '16 18:05 uwolfer

I did end up doing that. But it would be really useful to just have some sort of fallback like inside of the IntelliJ plugin where we can set it to skip SSL checks.

    /*
     * This entire class is just so we skip the error we are getting from Gerrit about SSL certs
     */
    private class SkipSslChecksHttpClientBuilderExtension extends HttpClientBuilderExtension {
        @Override
        public HttpClientBuilder extend(
            HttpClientBuilder httpClientBuilder, GerritAuthData authData)
        {
            try {
                SSLContextBuilder sslContextBuilder = new SSLContextBuilder();

                sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy() {
                    @Override
                    public boolean isTrusted(X509Certificate[] chain, String authType)
                    throws CertificateException
                    {
                        // Always trust the cert no matter what
                        return true;
                    }
                });

                SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
                    sslContextBuilder.build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

                Registry<ConnectionSocketFactory> socketFactoryRegistry =
                    RegistryBuilder.<ConnectionSocketFactory>create()
                        .register("https", sslConnectionSocketFactory)
                        .build();

                PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(
                    socketFactoryRegistry);
                httpClientBuilder.setConnectionManager(connectionManager);
            }
            catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException ex) {
                throw new RuntimeException("Failed to set a new connection manager to skip SSL " +
                    "verification for HttpClientBuilder.", ex);
            }
            return httpClientBuilder;
        }
    }

jpopadak avatar May 03 '16 19:05 jpopadak

I probably could include such an implementation, but it should IMHO not be enabled by default. Skipping invalid / self signed certs should be a decision made by every developer itself.

uwolfer avatar May 03 '16 19:05 uwolfer

Of course, this would only be a last resort sort of thing. Always want SSL to be verified by default.

jpopadak avatar May 03 '16 20:05 jpopadak