Uploaded image for project: 'Tools (JBoss Tools)'
  1. Tools (JBoss Tools)
  2. JBIDE-14768

Connection dialog: Inform users about invalid SSL certificates and allow them to accept/refuse them

    XMLWordPrintable

Details

    Description

      In JBIDE-10447 the openshift-java-client disabled the checks for SSL certificates since those prevented users from connecting to internal/private OpenShift instances:

      UrlConnectionHttpClient
      private HttpURLConnection createConnection(String userAgent, URL url) throws IOException {
	HttpURLConnection connection = (HttpURLConnection) url.openConnection();
	if (isHttps(url)
			&& !doSSLChecks) {
		HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
		httpsConnection.setHostnameVerifier(new NoopHostnameVerifier());
		setPermissiveSSLSocketFactory(httpsConnection);
	}

	private boolean isHttps(URL url) {
		return "https".equals(url.getProtocol());
	}

	/**
	 * Sets a trust manager that will always trust.
	 * <p>
	 * TODO: dont swallog exceptions and setup things so that they dont disturb other components.
	 */
	private void setPermissiveSSLSocketFactory(HttpsURLConnection connection) {
		try {
			SSLContext sslContext = SSLContext.getInstance("SSL");
			sslContext.init(new KeyManager[0], new TrustManager[] { new PermissiveTrustManager() }, new SecureRandom());
			SSLSocketFactory socketFactory = sslContext.getSocketFactory();
			((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
		} catch (KeyManagementException e) {
			// ignore
		} catch (NoSuchAlgorithmException e) {
			// ignore
		}
	}

	private static class PermissiveTrustManager implements X509TrustManager {

		public X509Certificate[] getAcceptedIssuers() {
			return null;
		}

		public void checkServerTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}

		public void checkClientTrusted(X509Certificate[] chain,
				String authType) throws CertificateException {
		}
	}

	private static class NoopHostnameVerifier implements HostnameVerifier {

		public boolean verify(String hostname, SSLSession sslSession) {
			return true;
		}
	}

      We should not simply disable these SSL checks but allow users to accept/refuse them via a dialog

      Attachments

        Issue Links

          blocks

          Feature Request - Feature requests from customers and/or users JBIDE-16444 Connection wizard: save accepted certificates in the Eclipse preferences and allow users to inspect/revoke them

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBIDE-16517 SSL Certificate dialog: need to show to what server we're connecting

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Reopened
          is blocked by

          Feature Request - Feature requests from customers and/or users OSJC-96 Allow users to refuse/allow "invalid" SSL Certificates

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBIDE-10447 Cannot connect to Dev environment with JBoss Tools OpenShift Tooling

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBIDE-14760 Cannot connect to OpenShift Enterprise with hostname: javax.net.ssl.SSLProtocolException (WATCHER)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBIDE-15594 Cannot connect to OpenShift DEVENV with hostname: javax.net.ssl.SSLProtocolException

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              adietish@redhat.com André Dietisheim
              adietish@redhat.com André Dietisheim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: