Browse Source

Support for self signed certificate (HTTPS)

Add possibility to disable ssl verification, just as i can do with git
using: git config --global http.sslVerify false

To enable the feature, configure
Window->Preferences->Team->Git->Configuration
and add a new key/value: http.sslVerify=false

When handling repos over https, JGit will then check that flag to see
if security is loose and the ssl verification should be ignored.

Having it implemented as a key/value makes it not too obvious in the
GUI - so the user must know what he/she is doing when adding it. Being
aware of the risks etc.

Bug: 332487
Change-Id: I2a1b8098b5890bf512b8dbe07da41036c0fc9b72
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
stable-0.11
Per Salomonsson 14 years ago committed by Matthias Sohn
parent
commit
d49530ad86
  1. 48
      org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java

48
org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java

@ -66,6 +66,10 @@ import java.net.MalformedURLException;
import java.net.Proxy; import java.net.Proxy;
import java.net.ProxySelector; import java.net.ProxySelector;
import java.net.URL; import java.net.URL;
import java.net.URLConnection;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
@ -75,12 +79,18 @@ import java.util.TreeMap;
import java.util.zip.GZIPInputStream; import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream; import java.util.zip.GZIPOutputStream;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jgit.JGitText; import org.eclipse.jgit.JGitText;
import org.eclipse.jgit.errors.NoRemoteRepositoryException; import org.eclipse.jgit.errors.NoRemoteRepositoryException;
import org.eclipse.jgit.errors.NotSupportedException; import org.eclipse.jgit.errors.NotSupportedException;
import org.eclipse.jgit.errors.PackProtocolException; import org.eclipse.jgit.errors.PackProtocolException;
import org.eclipse.jgit.errors.TransportException; import org.eclipse.jgit.errors.TransportException;
import org.eclipse.jgit.lib.Config; import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.Config.SectionParser;
import org.eclipse.jgit.lib.Constants; import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.ObjectId; import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectIdRef; import org.eclipse.jgit.lib.ObjectIdRef;
@ -88,7 +98,6 @@ import org.eclipse.jgit.lib.ProgressMonitor;
import org.eclipse.jgit.lib.Ref; import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository; import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.lib.SymbolicRef; import org.eclipse.jgit.lib.SymbolicRef;
import org.eclipse.jgit.lib.Config.SectionParser;
import org.eclipse.jgit.storage.file.RefDirectory; import org.eclipse.jgit.storage.file.RefDirectory;
import org.eclipse.jgit.util.HttpSupport; import org.eclipse.jgit.util.HttpSupport;
import org.eclipse.jgit.util.IO; import org.eclipse.jgit.util.IO;
@ -148,8 +157,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
private static class HttpConfig { private static class HttpConfig {
final int postBuffer; final int postBuffer;
final boolean sslVerify;
HttpConfig(final Config rc) { HttpConfig(final Config rc) {
postBuffer = rc.getInt("http", "postbuffer", 1 * 1024 * 1024); //$NON-NLS-1$ //$NON-NLS-2$ postBuffer = rc.getInt("http", "postbuffer", 1 * 1024 * 1024); //$NON-NLS-1$ //$NON-NLS-2$
sslVerify = rc.getBoolean("http", "sslVerify", true);
} }
} }
@ -401,6 +413,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
final HttpURLConnection httpOpen(String method, URL u) throws IOException { final HttpURLConnection httpOpen(String method, URL u) throws IOException {
final Proxy proxy = HttpSupport.proxyFor(proxySelector, u); final Proxy proxy = HttpSupport.proxyFor(proxySelector, u);
HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy); HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy);
if (!http.sslVerify && "https".equals(u.getProtocol())) {
disableSslVerify(conn);
}
conn.setRequestMethod(method); conn.setRequestMethod(method);
conn.setUseCaches(false); conn.setUseCaches(false);
conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP); conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP);
@ -412,6 +429,21 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
return conn; return conn;
} }
private void disableSslVerify(URLConnection conn)
throws IOException {
final TrustManager[] trustAllCerts = new TrustManager[] { new DummyX509TrustManager() };
try {
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(null, trustAllCerts, null);
final HttpsURLConnection sslConn = (HttpsURLConnection) conn;
sslConn.setSSLSocketFactory(ctx.getSocketFactory());
} catch (KeyManagementException e) {
throw new IOException(e);
} catch (NoSuchAlgorithmException e) {
throw new IOException(e);
}
}
final InputStream openInputStream(HttpURLConnection conn) final InputStream openInputStream(HttpURLConnection conn)
throws IOException { throws IOException {
InputStream input = conn.getInputStream(); InputStream input = conn.getInputStream();
@ -779,4 +811,18 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
} }
} }
} }
private static class DummyX509TrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
// no check
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
// no check
}
}
} }

Loading…
Cancel
Save