gnodet commented on code in PR #255:
URL: https://github.com/apache/maven-resolver/pull/255#discussion_r1121267926
##########
maven-resolver-api/src/main/java/org/eclipse/aether/ConfigurationProperties.java:
##########
@@ -144,6 +144,22 @@ public final class ConfigurationProperties {
*/
public static final int DEFAULT_HTTP_RETRY_HANDLER_COUNT = 3;
+ /**
+ * The flag that makes HTTPS transport ignore any kind of SSL errors
(certificate validity checks,
+ * hostname verification).
+ *
+ * @see #DEFAULT_HTTPS_INSECURE
+ * @since 1.9.6
+ */
+ public static final String HTTPS_INSECURE = PREFIX_CONNECTOR +
"https.insecure";
Review Comment:
Should we use a string property `https.security` with some values `secured`,
`insecured` for now ? This would allow more openness for things like
`no-host-verifier,no-certificate-check` ...
##########
maven-resolver-transport-http/src/main/java/org/eclipse/aether/transport/http/GlobalState.java:
##########
@@ -154,18 +157,30 @@ public static HttpClientConnectionManager
newConnectionManager(SslConfig sslConf
if (sslConfig == null) {
registryBuilder.register("https",
SSLConnectionSocketFactory.getSystemSocketFactory());
} else {
- SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
- ? sslConfig.context.getSocketFactory()
- : (SSLSocketFactory) SSLSocketFactory.getDefault();
-
- HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
- ? sslConfig.verifier
- : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-
- registryBuilder.register(
- "https",
- new SSLConnectionSocketFactory(
- sslSocketFactory, sslConfig.protocols,
sslConfig.cipherSuites, hostnameVerifier));
+ // config present: use provided, if any, or defaults (depending on
insecure)
+ try {
+ SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
+ ? sslConfig.context.getSocketFactory()
+ : sslConfig.insecure
+ ? new SSLContextBuilder()
+ .loadTrustMaterial(null, (chain, auth)
-> true)
+ .build()
+ .getSocketFactory()
+ : (SSLSocketFactory)
SSLSocketFactory.getDefault();
+
+ HostnameVerifier hostnameVerifier = (sslConfig.verifier !=
null)
+ ? sslConfig.verifier
+ : sslConfig.insecure
+ ? NoopHostnameVerifier.INSTANCE
+ :
SSLConnectionSocketFactory.getDefaultHostnameVerifier();
+
+ registryBuilder.register(
+ "https",
+ new SSLConnectionSocketFactory(
+ sslSocketFactory, sslConfig.protocols,
sslConfig.cipherSuites, hostnameVerifier));
+ } catch (Exception e) {
+ throw new SSLInitializationException("Could not configure
'insecure' SSL", e);
Review Comment:
The exception message looks incoherent with the code. We're not configuring
_insecure_ ssl specifically in the code block. So I think we should either
restrict the `try`/`catch` block to _insecure ssl_ configuration, or change the
message.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
