You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/04/05 19:17:00 UTC
[jira] [Commented] (WAGON-452) RelaxedTrustStrategy does not handle
multiple certificates
[ https://issues.apache.org/jira/browse/WAGON-452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16427473#comment-16427473 ]
ASF GitHub Bot commented on WAGON-452:
--------------------------------------
asfgit closed pull request #36: [WAGON-452] RelaxedTrustStrategy handle multiple certificates
URL: https://github.com/apache/maven-wagon/pull/36
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/RelaxedTrustStrategy.java b/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/RelaxedTrustStrategy.java
index ca9bc9a5..26e49367 100644
--- a/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/RelaxedTrustStrategy.java
+++ b/wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/RelaxedTrustStrategy.java
@@ -45,24 +45,27 @@ public RelaxedTrustStrategy( boolean ignoreSSLValidityDates )
public boolean isTrusted( X509Certificate[] certificates, String authType )
throws CertificateException
{
- if ( ( certificates != null ) && ( certificates.length == 1 ) )
+ if ( ( certificates != null ) && ( certificates.length > 0 ) )
{
- try
+ for ( X509Certificate currentCertificate : certificates )
{
- certificates[0].checkValidity();
- }
- catch ( CertificateExpiredException e )
- {
- if ( !ignoreSSLValidityDates )
+ try
{
- throw e;
+ currentCertificate.checkValidity();
}
- }
- catch ( CertificateNotYetValidException e )
- {
- if ( !ignoreSSLValidityDates )
+ catch ( CertificateExpiredException e )
+ {
+ if ( !ignoreSSLValidityDates )
+ {
+ throw e;
+ }
+ }
+ catch ( CertificateNotYetValidException e )
{
- throw e;
+ if ( !ignoreSSLValidityDates )
+ {
+ throw e;
+ }
}
}
return true;
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> RelaxedTrustStrategy does not handle multiple certificates
> ----------------------------------------------------------
>
> Key: WAGON-452
> URL: https://issues.apache.org/jira/browse/WAGON-452
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http, wagon-http-lightweight
> Affects Versions: 2.10
> Reporter: VĂtor Teixeira
> Assignee: Michael Osipov
> Priority: Major
> Labels: easyfix, maven, security
> Fix For: 3.0.1
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> On org.apache.maven.wagon.providers.http.RelaxedTrustStrategy exception handling is missing.
> With maven.wagon.http.ssl.ignore.validity.dates=true the following exception is thrown:
> sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed: NotAfter: Tue Dec 29 23:59:59 GMT 2015 -> [Help 1]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)