This is an automated email from the ASF dual-hosted git repository.
markus pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nutch.git
The following commit(s) were added to refs/heads/master by this push:
new 61d7e8c NUTCH-2647 Skip TLS certificate checks in protocol-http plugin
61d7e8c is described below
commit 61d7e8ce440aa544ce23e98a6fc6f811c482c5a0
Author: Markus Jelsma <[email protected]>
AuthorDate: Fri Sep 28 11:25:31 2018 +0200
NUTCH-2647 Skip TLS certificate checks in protocol-http plugin
---
.../nutch/protocol/http/DummyX509TrustManager.java | 93 ++++++++++++++++++++++
.../apache/nutch/protocol/http/HttpResponse.java | 14 ++--
2 files changed, 102 insertions(+), 5 deletions(-)
diff --git
a/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/DummyX509TrustManager.java
b/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/DummyX509TrustManager.java
new file mode 100644
index 0000000..879f703
--- /dev/null
+++
b/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/DummyX509TrustManager.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * Based on EasyX509TrustManager from commons-httpclient.
+ */
+
+package org.apache.nutch.protocol.http;
+
+import java.lang.invoke.MethodHandles;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DummyX509TrustManager implements X509TrustManager {
+ private X509TrustManager standardTrustManager = null;
+
+ /** Logger object for this class. */
+ private static final Logger LOG = LoggerFactory
+ .getLogger(MethodHandles.lookup().lookupClass());
+
+ /**
+ * Constructor for DummyX509TrustManager.
+ */
+ public DummyX509TrustManager(KeyStore keystore)
+ throws NoSuchAlgorithmException, KeyStoreException {
+ super();
+ String algo = TrustManagerFactory.getDefaultAlgorithm();
+ TrustManagerFactory factory = TrustManagerFactory.getInstance(algo);
+ factory.init(keystore);
+ TrustManager[] trustmanagers = factory.getTrustManagers();
+ if (trustmanagers.length == 0) {
+ throw new NoSuchAlgorithmException(algo + " trust manager not
supported");
+ }
+ this.standardTrustManager = (X509TrustManager) trustmanagers[0];
+ }
+
+ /**
+ * @see javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[],
+ * String)
+ */
+ public boolean isClientTrusted(X509Certificate[] certificates) {
+ return true;
+ }
+
+ /**
+ * @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],
+ * String)
+ */
+ public boolean isServerTrusted(X509Certificate[] certificates) {
+ return true;
+ }
+
+ /**
+ * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
+ */
+ public X509Certificate[] getAcceptedIssuers() {
+ return this.standardTrustManager.getAcceptedIssuers();
+ }
+
+ public void checkClientTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ // do nothing
+
+ }
+
+ public void checkServerTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ // do nothing
+
+ }
+}
diff --git
a/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/HttpResponse.java
b/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/HttpResponse.java
index 4b5544e..95ae352 100644
---
a/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/HttpResponse.java
+++
b/src/plugin/protocol-http/src/java/org/apache/nutch/protocol/http/HttpResponse.java
@@ -30,8 +30,10 @@ import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
+import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
import org.apache.hadoop.io.Text;
import org.apache.nutch.crawl.CrawlDatum;
@@ -131,7 +133,7 @@ public class HttpResponse implements Response {
try {
sslsocket = getSSLSocket(socket, sockHost, sockPort);
sslsocket.startHandshake();
- } catch (IOException e) {
+ } catch (Exception e) {
Http.LOG.debug("SSL connection to {} failed with: {}", url,
e.getMessage());
if ("handshake alert: unrecognized_name".equals(e.getMessage())) {
@@ -142,7 +144,7 @@ public class HttpResponse implements Response {
socket.connect(sockAddr, http.getTimeout());
sslsocket = getSSLSocket(socket, "", sockPort);
sslsocket.startHandshake();
- } catch (IOException ex) {
+ } catch (Exception ex) {
String msg = "SSL reconnect to " + url + " failed with: "
+ e.getMessage();
throw new HttpException(msg);
@@ -353,9 +355,11 @@ public class HttpResponse implements Response {
* -------------------------
*/
- private SSLSocket getSSLSocket(Socket socket, String sockHost, int sockPort)
throws IOException {
- SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory
- .getDefault();
+ private SSLSocket getSSLSocket(Socket socket, String sockHost, int sockPort)
throws Exception {
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[]{new DummyX509TrustManager(null)},
null);
+ SSLSocketFactory factory = sslContext.getSocketFactory();
+
SSLSocket sslsocket = (SSLSocket) factory
.createSocket(socket, sockHost, sockPort, true);
sslsocket.setUseClientMode(true);
