Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-19594

SSL callback: provide meaningful hostname verifier, stop always accepting hostnames


    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.30.x
    • 4.3.0.Alpha2
    • openshift

      We're currently using an SSL callback that will allow users to get informed and act upon "faulty" certificates (ex. self-signed ones) and mismatches btw. the host we're talking to and the one that is referenced in the ssl certificate:

      public interface ISSLCertificateCallback {
      		public boolean allowCertificate(X509Certificate[] chain);
      		public boolean allowHostname(String hostname, SSLSession session); 

      The callback that we are using in JBT is presenting a dialog in case the jdk cannot verify the certificate (ex. self signed certificates) and allows the user to accept/deny it.
      In case the jdk cannot verify the hostname (the host we're talking to is not matching the host that's referenced in the certificate) we're currently always accepting the hostname:

      	public boolean allowHostname(String hostname, SSLSession sslSession) {
      		return true;

      We should find a meaningfull implementation of such a verification that does not simply always accept it. A first idea would be to present the mismatch to the user and allow it to accept/refute it.

      This issue came up JBIDE-19581 when there was no callback installed which made the hostname verification fail as in jdk. When fetching the quickstarts OSJC is reaching out to https://hub.openshift.com (https://hub.openshift.com/api/v1/quickstarts/promoted.json) while the ssl certificate presented only covers openshift.redhat.com:

      * Server certificate:
      * 	subject: CN=openshift.redhat.com,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
      * 	start date: Jul 23 00:00:00 2014 GMT
      * 	expire date: Jul 27 12:00:00 2017 GMT
      * 	common name: openshift.redhat.com
      * 	issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US

            Unassigned Unassigned
            adietish@redhat.com André Dietisheim
            0 Vote for this issue
            1 Start watching this issue