Details
-
Feature Request
-
Resolution: Done
-
Major
-
2.5.0
-
None
Description
The current implementation blindly allows SSL certificates that dont match the effective hostname.
UrlConnectionHttpClient
private class NoopHostnameVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession sslSession) { return true; } }
The very same is also true for self signed certificates which are blindly accepted:
code:title=UrlConnectionHttpClient
private class PermissiveTrustManager implements X509TrustManager { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } }
We should allow the user to allow/disallow these explicitly. I.ex with callbacks that Eclipse could use to present dialogs to the user.
Attachments
Issue Links
- blocks
-
JBIDE-14768 Connection dialog: Inform users about invalid SSL certificates and allow them to accept/refuse them
-
- Closed
-
