Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Done
Priority: Critical
Fix Version/s: 4.2.0.Alpha2
Affects Version/s: 4.1.0.Beta2
Component/s: openshift
Labels:
- connection_wizard
- new_and_noteworthy

Estimated Difficulty:
High
Git Pull Request:
https://github.com/jbosstools/jbosstools-openshift/pull/357

In ~~JBIDE-10447~~ the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:

UrlConnectionHttpClient

private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
	HttpURLConnection connection = (HttpURLConnection) url.openConnection();
	if (isHttps(url)
			&& !doSSLChecks) {
		HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
		httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
		setPermissiveSSLSocketFactory(httpsConnection);
	}

	private boolean isHttps(URL url) {
		return "https".equals(url.getProtocol());
	}

	/**
	 * Sets a trust manager that will always trust.
	 * <p>
	 * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
	 */
	private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
		try {
			SSLContext sslContext = SSLContext.getInstance("SSL");
			sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
			SSLSocketFactory socketFactory = sslContext.getSocketFactory();
			((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
		} catch (KeyManagementException e) {
			// ignore
		} catch (NoSuchAlgorithmException e) {
			// ignore
		}
	}

	private static class PermissiveTrustManager implements X509TrustManager {

		public X509Certificate[] getAcceptedIssuers() {
			return null;
		}

		public void checkServerTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}

		public void checkClientTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}
	}

	private static class NoopHostnameVerifier implements HostnameVerifier {

		public boolean verify(String hostname, SSLSession sslSession) {
			return true;
		}
	}

We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

accept-certificate.png
50 kB
2014/02/05 4:01 PM
certificate-dialog.png
48 kB
2014/02/05 10:04 AM

blocks

JBIDE-16444 Connection wizard: save accepted certificates in the Eclipse preferences and allow users to inspect/revoke them

Closed

JBIDE-16517 SSL Certificate dialog: need to show to what server we're connecting

Reopened

is blocked by

OSJC-96 Allow users to refuse/allow "invalid" SSL Certificates

Resolved

is related to

JBIDE-10447 Cannot connect to Dev environment with JBoss Tools OpenShift Tooling

Closed

JBIDE-14760 Cannot connect to OpenShift Enterprise with hostname: javax.net.ssl.SSLProtocolException (WATCHER)

Closed

JBIDE-15594 Cannot connect to OpenShift DEVENV with hostname: javax.net.ssl.SSLProtocolException

Closed

(1 is related to)

Assignee:: André Dietisheim

Reporter:: André Dietisheim

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2013/06/05 6:55 PM

Updated:: 2021/10/24 6:47 AM

Resolved:: 2014/02/18 3:07 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates