Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-14768

Connection dialog: Inform users about invalid SSL certificates and allow them to accept/refuse them

XMLWordPrintable

      In JBIDE-10447 the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:

      UrlConnectionHttpClient
      private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
      	HttpURLConnection connection = (HttpURLConnection) url.openConnection();
      	if (isHttps(url)
      			&& !doSSLChecks) {
      		HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
      		httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
      		setPermissiveSSLSocketFactory(httpsConnection);
      	}
      
      	private boolean isHttps(URL url) {
      		return "https".equals(url.getProtocol());
      	}
      
      	/**
      	 * Sets a trust manager that will always trust.
      	 * <p>
      	 * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
      	 */
      	private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
      		try {
      			SSLContext sslContext = SSLContext.getInstance("SSL");
      			sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
      			SSLSocketFactory socketFactory = sslContext.getSocketFactory();
      			((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
      		} catch (KeyManagementException e) {
      			// ignore
      		} catch (NoSuchAlgorithmException e) {
      			// ignore
      		}
      	}
      
      	private static class PermissiveTrustManager implements X509TrustManager {
      
      		public X509Certificate[] getAcceptedIssuers() {
      			return null;
      		}
      
      		public void checkServerTrusted(X509Certificate[] chain,
      				String authType) throws CertificateException {
      		}
      
      		public void checkClientTrusted(X509Certificate[] chain,
      				String authType) throws CertificateException {
      		}
      	}
      
      	private static class NoopHostnameVerifier implements HostnameVerifier {
      
      		public boolean verify(String hostname, SSLSession sslSession) {
      			return true;
      		}
      	}
      

      We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog

        1. accept-certificate.png
          50 kB
          André Dietisheim
        2. certificate-dialog.png
          48 kB
          André Dietisheim

              adietish@redhat.com André Dietisheim
              adietish@redhat.com André Dietisheim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: