You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "gnodet (via GitHub)" <gi...@apache.org> on 2023/03/01 07:30:18 UTC
[GitHub] [maven-resolver] gnodet commented on a diff in pull request #255: [MRESOLVER-328] SSL insecure mode
gnodet commented on code in PR #255:
URL: https://github.com/apache/maven-resolver/pull/255#discussion_r1121267926
##########
maven-resolver-api/src/main/java/org/eclipse/aether/ConfigurationProperties.java:
##########
@@ -144,6 +144,22 @@ public final class ConfigurationProperties {
*/
public static final int DEFAULT_HTTP_RETRY_HANDLER_COUNT = 3;
+ /**
+ * The flag that makes HTTPS transport ignore any kind of SSL errors (certificate validity checks,
+ * hostname verification).
+ *
+ * @see #DEFAULT_HTTPS_INSECURE
+ * @since 1.9.6
+ */
+ public static final String HTTPS_INSECURE = PREFIX_CONNECTOR + "https.insecure";
Review Comment:
Should we use a string property `https.security` with some values `secured`, `insecured` for now ? This would allow more openness for things like `no-host-verifier,no-certificate-check` ...
##########
maven-resolver-transport-http/src/main/java/org/eclipse/aether/transport/http/GlobalState.java:
##########
@@ -154,18 +157,30 @@ public static HttpClientConnectionManager newConnectionManager(SslConfig sslConf
if (sslConfig == null) {
registryBuilder.register("https", SSLConnectionSocketFactory.getSystemSocketFactory());
} else {
- SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
- ? sslConfig.context.getSocketFactory()
- : (SSLSocketFactory) SSLSocketFactory.getDefault();
-
- HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
- ? sslConfig.verifier
- : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-
- registryBuilder.register(
- "https",
- new SSLConnectionSocketFactory(
- sslSocketFactory, sslConfig.protocols, sslConfig.cipherSuites, hostnameVerifier));
+ // config present: use provided, if any, or defaults (depending on insecure)
+ try {
+ SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
+ ? sslConfig.context.getSocketFactory()
+ : sslConfig.insecure
+ ? new SSLContextBuilder()
+ .loadTrustMaterial(null, (chain, auth) -> true)
+ .build()
+ .getSocketFactory()
+ : (SSLSocketFactory) SSLSocketFactory.getDefault();
+
+ HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
+ ? sslConfig.verifier
+ : sslConfig.insecure
+ ? NoopHostnameVerifier.INSTANCE
+ : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
+
+ registryBuilder.register(
+ "https",
+ new SSLConnectionSocketFactory(
+ sslSocketFactory, sslConfig.protocols, sslConfig.cipherSuites, hostnameVerifier));
+ } catch (Exception e) {
+ throw new SSLInitializationException("Could not configure 'insecure' SSL", e);
Review Comment:
The exception message looks incoherent with the code. We're not configuring _insecure_ ssl specifically in the code block. So I think we should either restrict the `try`/`catch` block to _insecure ssl_ configuration, or change the message.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org