On 09 Jun 2022, at 00:10, Graham Leggett <[email protected]> wrote: > Does jackrabbit have a way to tell HttpClient to use system properties, that > in turn allows standard java TLS parameters to be respected?
Picking apart the code, it sees the answer is yes, then no. A parameter jackrabbit.client.useSystemProperties was added not long ago which triggers the following code: https://github.com/apache/jackrabbit/blob/ed3124e5fe223dada33ce6ddf53bc666063c3f2f/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2dav/RepositoryServiceImpl.java#L373 log.debug("Using system properties for establishing connection!"); // support Java system proxy? (JCR-3211) hcb.useSystemProperties(); Shortly afterwards we run this code that undoes the above: https://github.com/apache/jackrabbit/blob/ed3124e5fe223dada33ce6ddf53bc666063c3f2f/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2dav/RepositoryServiceImpl.java#L379 if (connectionOptions.isAllowSelfSignedCertificates()) { log.warn("Nonsecure TLS setting: Accepting self-signed certificates!"); sslContext = SSLContextBuilder.create().loadTrustMaterial(new TrustSelfSignedStrategy()).build(); hcb.setSSLContext(sslContext); } else { sslContext = SSLContextBuilder.create().build(); } In the above code, it appears we either create a SSLContextBuilder that overrides the default with the self signed strategy, or we create a SSLContextBuilder that just overrides the default, hiding all javax.net.ssl parameters. Looks like this stopped working recently here: Little-Net:rackjabbit-trunk minfrin$ svn log -c 1879988 ------------------------------------------------------------------------ r1879988 | reschke | 2020-07-17 10:19:38 +0200 (Fri, 17 Jul 2020) | 3 lines JCR-4536: spi2dav: allow disabling cert and host name checks for TLS connections (also adds test coverage for proxy config) patch by Konrad Windszus (kwin) ------------------------------------------------------------------------ Will carry on digging - the javadocs for SSLContextBuilder are largely blank, so it isn’t clear what the behaviour should be. Regards, Graham —
