Support for self signed certificate (HTTPS)

Add possibility to disable ssl verification, just as i can do with git
using: git config --global http.sslVerify false

To enable the feature, configure
Window->Preferences->Team->Git->Configuration
and add a new key/value: http.sslVerify=false

When handling repos over https, JGit will then check that flag to see
if security is loose and the ssl verification should be ignored.

Having it implemented as a key/value makes it not too obvious in the
GUI - so the user must know what he/she is doing when adding it. Being
aware of the risks etc.

Bug: 332487
Change-Id: I2a1b8098b5890bf512b8dbe07da41036c0fc9b72
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
index 9eb1d2db5fd1b39e05b3b6887507fb80bb9e35bd..3ec88714f45e7f7b4e5d71728abd6771b867726f 100644 (file)
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
@@ -66,6 +66,10 @@ import java.net.MalformedURLException;
 import java.net.Proxy;
 import java.net.ProxySelector;
 import java.net.URL;
+import java.net.URLConnection;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -75,12 +79,18 @@ import java.util.TreeMap;
 import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 import org.eclipse.jgit.JGitText;
 import org.eclipse.jgit.errors.NoRemoteRepositoryException;
 import org.eclipse.jgit.errors.NotSupportedException;
 import org.eclipse.jgit.errors.PackProtocolException;
 import org.eclipse.jgit.errors.TransportException;
 import org.eclipse.jgit.lib.Config;
+import org.eclipse.jgit.lib.Config.SectionParser;
 import org.eclipse.jgit.lib.Constants;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.ObjectIdRef;
@@ -88,7 +98,6 @@ import org.eclipse.jgit.lib.ProgressMonitor;
 import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.lib.SymbolicRef;
-import org.eclipse.jgit.lib.Config.SectionParser;
 import org.eclipse.jgit.storage.file.RefDirectory;
 import org.eclipse.jgit.util.HttpSupport;
 import org.eclipse.jgit.util.IO;
@@ -148,8 +157,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
        private static class HttpConfig {
                final int postBuffer;
 
+               final boolean sslVerify;
+
                HttpConfig(final Config rc) {
                        postBuffer = rc.getInt("http", "postbuffer", 1 * 1024 * 1024); //$NON-NLS-1$  //$NON-NLS-2$
+                       sslVerify = rc.getBoolean("http", "sslVerify", true);
                }
        }
 
@@ -401,6 +413,11 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
        final HttpURLConnection httpOpen(String method, URL u) throws IOException {
                final Proxy proxy = HttpSupport.proxyFor(proxySelector, u);
                HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy);
+
+               if (!http.sslVerify && "https".equals(u.getProtocol())) {
+                       disableSslVerify(conn);
+               }
+
                conn.setRequestMethod(method);
                conn.setUseCaches(false);
                conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP);
@@ -412,6 +429,21 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
                return conn;
        }
 
+       private void disableSslVerify(URLConnection conn)
+                       throws IOException {
+               final TrustManager[] trustAllCerts = new TrustManager[] { new DummyX509TrustManager() };
+               try {
+                       SSLContext ctx = SSLContext.getInstance("SSL");
+                       ctx.init(null, trustAllCerts, null);
+                       final HttpsURLConnection sslConn = (HttpsURLConnection) conn;
+                       sslConn.setSSLSocketFactory(ctx.getSocketFactory());
+               } catch (KeyManagementException e) {
+                       throw new IOException(e);
+               } catch (NoSuchAlgorithmException e) {
+                       throw new IOException(e);
+               }
+       }
+
        final InputStream openInputStream(HttpURLConnection conn)
                        throws IOException {
                InputStream input = conn.getInputStream();
@@ -779,4 +811,18 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
                        }
                }
        }
+
+       private static class DummyX509TrustManager implements X509TrustManager {
+               public X509Certificate[] getAcceptedIssuers() {
+                       return null;
+               }
+
+               public void checkClientTrusted(X509Certificate[] certs, String authType) {
+                       // no check
+               }
+
+               public void checkServerTrusted(X509Certificate[] certs, String authType) {
+                       // no check
+               }
+       }
 }