[GitHub] [maven-resolver] cstamas commented on a diff in pull request #255: [MRESOLVER-328] SSL insecure mode

[via GitHub]

cstamas commented on code in PR #255:
URL: https://github.com/apache/maven-resolver/pull/255#discussion_r1121403410


##########
maven-resolver-api/src/main/java/org/eclipse/aether/ConfigurationProperties.java:
##########
@@ -144,6 +144,22 @@ public final class ConfigurationProperties {
      */
     public static final int DEFAULT_HTTP_RETRY_HANDLER_COUNT = 3;
 
+    /**
+     * The flag that makes HTTPS transport ignore any kind of SSL errors 
(certificate validity checks,
+     * hostname verification).
+     *
+     * @see #DEFAULT_HTTPS_INSECURE
+     * @since 1.9.6
+     */
+    public static final String HTTPS_INSECURE = PREFIX_CONNECTOR + 
"https.insecure";

Review Comment:
   fixed



##########
maven-resolver-transport-http/src/main/java/org/eclipse/aether/transport/http/GlobalState.java:
##########
@@ -154,18 +157,30 @@ public static HttpClientConnectionManager 
newConnectionManager(SslConfig sslConf
         if (sslConfig == null) {
             registryBuilder.register("https", 
SSLConnectionSocketFactory.getSystemSocketFactory());
         } else {
-            SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
-                    ? sslConfig.context.getSocketFactory()
-                    : (SSLSocketFactory) SSLSocketFactory.getDefault();
-
-            HostnameVerifier hostnameVerifier = (sslConfig.verifier != null)
-                    ? sslConfig.verifier
-                    : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-
-            registryBuilder.register(
-                    "https",
-                    new SSLConnectionSocketFactory(
-                            sslSocketFactory, sslConfig.protocols, 
sslConfig.cipherSuites, hostnameVerifier));
+            // config present: use provided, if any, or defaults (depending on 
insecure)
+            try {
+                SSLSocketFactory sslSocketFactory = (sslConfig.context != null)
+                        ? sslConfig.context.getSocketFactory()
+                        : sslConfig.insecure
+                                ? new SSLContextBuilder()
+                                        .loadTrustMaterial(null, (chain, auth) 
-> true)
+                                        .build()
+                                        .getSocketFactory()
+                                : (SSLSocketFactory) 
SSLSocketFactory.getDefault();
+
+                HostnameVerifier hostnameVerifier = (sslConfig.verifier != 
null)
+                        ? sslConfig.verifier
+                        : sslConfig.insecure
+                                ? NoopHostnameVerifier.INSTANCE
+                                : 
SSLConnectionSocketFactory.getDefaultHostnameVerifier();
+
+                registryBuilder.register(
+                        "https",
+                        new SSLConnectionSocketFactory(
+                                sslSocketFactory, sslConfig.protocols, 
sslConfig.cipherSuites, hostnameVerifier));
+            } catch (Exception e) {
+                throw new SSLInitializationException("Could not configure 
'insecure' SSL", e);

Review Comment:
   fixed



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org