[
https://issues.apache.org/jira/browse/MRESOLVER-328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694892#comment-17694892
]
ASF GitHub Bot commented on MRESOLVER-328:
------------------------------------------
gnodet commented on code in PR #255:
URL: https://github.com/apache/maven-resolver/pull/255#discussion_r1121267926
##########
maven-resolver-api/src/main/java/org/eclipse/aether/ConfigurationProperties.java:
##########
@@ -144,6 +144,22 @@ public final class ConfigurationProperties {
*/
public static final int DEFAULT_HTTP_RETRY_HANDLER_COUNT = 3;
+ /**
+ * The flag that makes HTTPS transport ignore any kind of SSL errors
(certificate validity checks,
+ * hostname verification).
+ *
+ * @see #DEFAULT_HTTPS_INSECURE
+ * @since 1.9.6
+ */
+ public static final String HTTPS_INSECURE = PREFIX_CONNECTOR +
"https.insecure";
Review Comment:
Should we use a string property `https.security` with some values `secured`,
`insecured` for now ? This would allow more openness for things like
`no-host-verifier,no-certificate-check` ...
##########
maven-resolver-transport-http/src/main/java/org/eclipse/aether/transport/http/GlobalState.java:
##########
@@ -154,18 +157,30 @@ public static HttpClientConnectionManager
newConnectionManager(SslConfig sslConf
if (sslConfig == null) {
registryBuilder.register("https",
SSLConnectionSocketFactory.getSystemSocketFactory());
} else {
- SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
- ? sslConfig.context.getSocketFactory()
- : (SSLSocketFactory) SSLSocketFactory.getDefault();
-
- HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
- ? sslConfig.verifier
- : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-
- registryBuilder.register(
- "https",
- new SSLConnectionSocketFactory(
- sslSocketFactory, sslConfig.protocols,
sslConfig.cipherSuites, hostnameVerifier));
+ // config present: use provided, if any, or defaults (depending on
insecure)
+ try {
+ SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
+ ? sslConfig.context.getSocketFactory()
+ : sslConfig.insecure
+ ? new SSLContextBuilder()
+ .loadTrustMaterial(null, (chain, auth)
-> true)
+ .build()
+ .getSocketFactory()
+ : (SSLSocketFactory)
SSLSocketFactory.getDefault();
+
+ HostnameVerifier hostnameVerifier = (sslConfig.verifier !=
null)
+ ? sslConfig.verifier
+ : sslConfig.insecure
+ ? NoopHostnameVerifier.INSTANCE
+ :
SSLConnectionSocketFactory.getDefaultHostnameVerifier();
+
+ registryBuilder.register(
+ "https",
+ new SSLConnectionSocketFactory(
+ sslSocketFactory, sslConfig.protocols,
sslConfig.cipherSuites, hostnameVerifier));
+ } catch (Exception e) {
+ throw new SSLInitializationException("Could not configure
'insecure' SSL", e);
Review Comment:
The exception message looks incoherent with the code. We're not configuring
_insecure_ ssl specifically in the code block. So I think we should either
restrict the `try`/`catch` block to _insecure ssl_ configuration, or change the
message.
> The transport-http should be able to ignore cert errors
> -------------------------------------------------------
>
> Key: MRESOLVER-328
> URL: https://issues.apache.org/jira/browse/MRESOLVER-328
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 1.9.6
>
>
> Like an "unsafe" or "insecure" SSL mode.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
