From d49530ad861ee7053ca1a92d619f127b5d6bc3a1 Mon Sep 17 00:00:00 2001 From: Per Salomonsson Date: Wed, 26 Jan 2011 01:16:24 +0100 Subject: [PATCH] Support for self signed certificate (HTTPS) Add possibility to disable ssl verification, just as i can do with git using: git config --global http.sslVerify false To enable the feature, configure Window->Preferences->Team->Git->Configuration and add a new key/value: http.sslVerify=false When handling repos over https, JGit will then check that flag to see if security is loose and the ssl verification should be ignored. Having it implemented as a key/value makes it not too obvious in the GUI - so the user must know what he/she is doing when adding it. Being aware of the risks etc. Bug: 332487 Change-Id: I2a1b8098b5890bf512b8dbe07da41036c0fc9b72 Signed-off-by: Matthias Sohn --- .../eclipse/jgit/transport/TransportHttp.java | 48 ++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java index 9eb1d2db5..3ec88714f 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java @@ -66,6 +66,10 @@ import java.net.MalformedURLException; import java.net.Proxy; import java.net.ProxySelector; import java.net.URL; +import java.net.URLConnection; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.ArrayList; import java.util.Collection; @@ -75,12 +79,18 @@ import java.util.TreeMap; import java.util.zip.GZIPInputStream; import java.util.zip.GZIPOutputStream; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; + import org.eclipse.jgit.JGitText; import org.eclipse.jgit.errors.NoRemoteRepositoryException; import org.eclipse.jgit.errors.NotSupportedException; import org.eclipse.jgit.errors.PackProtocolException; import org.eclipse.jgit.errors.TransportException; import org.eclipse.jgit.lib.Config; +import org.eclipse.jgit.lib.Config.SectionParser; import org.eclipse.jgit.lib.Constants; import org.eclipse.jgit.lib.ObjectId; import org.eclipse.jgit.lib.ObjectIdRef; @@ -88,7 +98,6 @@ import org.eclipse.jgit.lib.ProgressMonitor; import org.eclipse.jgit.lib.Ref; import org.eclipse.jgit.lib.Repository; import org.eclipse.jgit.lib.SymbolicRef; -import org.eclipse.jgit.lib.Config.SectionParser; import org.eclipse.jgit.storage.file.RefDirectory; import org.eclipse.jgit.util.HttpSupport; import org.eclipse.jgit.util.IO; @@ -148,8 +157,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport, private static class HttpConfig { final int postBuffer; + final boolean sslVerify; + HttpConfig(final Config rc) { postBuffer = rc.getInt("http", "postbuffer", 1 * 1024 * 1024); //$NON-NLS-1$ //$NON-NLS-2$ + sslVerify = rc.getBoolean("http", "sslVerify", true); } } @@ -401,6 +413,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport, final HttpURLConnection httpOpen(String method, URL u) throws IOException { final Proxy proxy = HttpSupport.proxyFor(proxySelector, u); HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy); + + if (!http.sslVerify && "https".equals(u.getProtocol())) { + disableSslVerify(conn); + } + conn.setRequestMethod(method); conn.setUseCaches(false); conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP); @@ -412,6 +429,21 @@ public class TransportHttp extends HttpTransport implements WalkTransport, return conn; } + private void disableSslVerify(URLConnection conn) + throws IOException { + final TrustManager[] trustAllCerts = new TrustManager[] { new DummyX509TrustManager() }; + try { + SSLContext ctx = SSLContext.getInstance("SSL"); + ctx.init(null, trustAllCerts, null); + final HttpsURLConnection sslConn = (HttpsURLConnection) conn; + sslConn.setSSLSocketFactory(ctx.getSocketFactory()); + } catch (KeyManagementException e) { + throw new IOException(e); + } catch (NoSuchAlgorithmException e) { + throw new IOException(e); + } + } + final InputStream openInputStream(HttpURLConnection conn) throws IOException { InputStream input = conn.getInputStream(); @@ -779,4 +811,18 @@ public class TransportHttp extends HttpTransport implements WalkTransport, } } } + + private static class DummyX509TrustManager implements X509TrustManager { + public X509Certificate[] getAcceptedIssuers() { + return null; + } + + public void checkClientTrusted(X509Certificate[] certs, String authType) { + // no check + } + + public void checkServerTrusted(X509Certificate[] certs, String authType) { + // no check + } + } }