You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/03/01 07:31:00 UTC
[jira] [Commented] (MRESOLVER-328) The transport-http should be able to ignore cert errors
[ https://issues.apache.org/jira/browse/MRESOLVER-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694892#comment-17694892 ]
ASF GitHub Bot commented on MRESOLVER-328:
------------------------------------------
gnodet commented on code in PR #255:
URL: https://github.com/apache/maven-resolver/pull/255#discussion_r1121267926
##########
maven-resolver-api/src/main/java/org/eclipse/aether/ConfigurationProperties.java:
##########
@@ -144,6 +144,22 @@ public final class ConfigurationProperties {
*/
public static final int DEFAULT_HTTP_RETRY_HANDLER_COUNT = 3;
+ /**
+ * The flag that makes HTTPS transport ignore any kind of SSL errors (certificate validity checks,
+ * hostname verification).
+ *
+ * @see #DEFAULT_HTTPS_INSECURE
+ * @since 1.9.6
+ */
+ public static final String HTTPS_INSECURE = PREFIX_CONNECTOR + "https.insecure";
Review Comment:
Should we use a string property `https.security` with some values `secured`, `insecured` for now ? This would allow more openness for things like `no-host-verifier,no-certificate-check` ...
##########
maven-resolver-transport-http/src/main/java/org/eclipse/aether/transport/http/GlobalState.java:
##########
@@ -154,18 +157,30 @@ public static HttpClientConnectionManager newConnectionManager(SslConfig sslConf
if (sslConfig == null) {
registryBuilder.register("https", SSLConnectionSocketFactory.getSystemSocketFactory());
} else {
- SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
- ? sslConfig.context.getSocketFactory()
- : (SSLSocketFactory) SSLSocketFactory.getDefault();
-
- HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
- ? sslConfig.verifier
- : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-
- registryBuilder.register(
- "https",
- new SSLConnectionSocketFactory(
- sslSocketFactory, sslConfig.protocols, sslConfig.cipherSuites, hostnameVerifier));
+ // config present: use provided, if any, or defaults (depending on insecure)
+ try {
+ SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
+ ? sslConfig.context.getSocketFactory()
+ : sslConfig.insecure
+ ? new SSLContextBuilder()
+ .loadTrustMaterial(null, (chain, auth) -> true)
+ .build()
+ .getSocketFactory()
+ : (SSLSocketFactory) SSLSocketFactory.getDefault();
+
+ HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
+ ? sslConfig.verifier
+ : sslConfig.insecure
+ ? NoopHostnameVerifier.INSTANCE
+ : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
+
+ registryBuilder.register(
+ "https",
+ new SSLConnectionSocketFactory(
+ sslSocketFactory, sslConfig.protocols, sslConfig.cipherSuites, hostnameVerifier));
+ } catch (Exception e) {
+ throw new SSLInitializationException("Could not configure 'insecure' SSL", e);
Review Comment:
The exception message looks incoherent with the code. We're not configuring _insecure_ ssl specifically in the code block. So I think we should either restrict the `try`/`catch` block to _insecure ssl_ configuration, or change the message.
> The transport-http should be able to ignore cert errors
> -------------------------------------------------------
>
> Key: MRESOLVER-328
> URL: https://issues.apache.org/jira/browse/MRESOLVER-328
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 1.9.6
>
>
> Like an "unsafe" or "insecure" SSL mode.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)