diff options
| author | Thomas Wolf <thomas.wolf@paranor.ch> | 2019-12-31 23:08:10 +0100 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2020-01-03 20:48:25 +0100 |
| commit | d661b9f43a091a5b6b5d843f77e79856675435fb (patch) | |
| tree | 842e48924121a8239e8ef3994d58f48be4cedc92 /org.eclipse.jgit.http.apache/src/org | |
| parent | 9e6f09c7008171032ee0c0cccb34d7fa4b0ddeb6 (diff) | |
| download | jgit-d661b9f43a091a5b6b5d843f77e79856675435fb.tar.gz jgit-d661b9f43a091a5b6b5d843f77e79856675435fb.zip | |
TLS support on IBM JDKs
SSLContext.getInstance("TLS") by default behaves differently on IBM
JDK than on Oracle or OpenJDK.[1] On IBM JDK one gets sockets that
have only TLSv1 enabled, which makes HTTPS connections fail since most
servers refuse this old protocol version. On Oracle JDK/OpenJDK, one
gets sockets with all available protocol versions enabled.
Explicitly enable all available TLS protocol versions to make
HTTPS connections work also on IBM JDK.
[1] https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html#matchsslcontext_tls
Bug: 558709
Change-Id: I5ffc57a78e67a6239b9dad54840a49a8ed28930a
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Diffstat (limited to 'org.eclipse.jgit.http.apache/src/org')
| -rw-r--r-- | org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java index 9d9e2f882d..61afaaef50 100644 --- a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java +++ b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Christian Halstrick <christian.halstrick@sap.com> + * Copyright (C) 2013, 2020 Christian Halstrick <christian.halstrick@sap.com> * and other copyright owners as documented in the project's IP log. * * This program and the accompanying materials are made available @@ -69,6 +69,7 @@ import java.util.stream.Collectors; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import org.apache.http.Header; @@ -89,14 +90,18 @@ import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.util.PublicSuffixMatcherLoader; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.SystemDefaultCredentialsProvider; import org.apache.http.impl.conn.BasicHttpClientConnectionManager; +import org.apache.http.ssl.SSLContexts; import org.eclipse.jgit.annotations.NonNull; import org.eclipse.jgit.transport.http.HttpConnection; import org.eclipse.jgit.transport.http.apache.internal.HttpApacheText; +import org.eclipse.jgit.util.HttpSupport; import org.eclipse.jgit.util.TemporaryBuffer; import org.eclipse.jgit.util.TemporaryBuffer.LocalFile; @@ -153,10 +158,11 @@ public class HttpClientConnection implements HttpConnection { configBuilder .setRedirectsEnabled(followRedirects.booleanValue()); } + SSLConnectionSocketFactory sslConnectionFactory = getSSLSocketFactory(); + clientBuilder.setSSLSocketFactory(sslConnectionFactory); if (hostnameverifier != null) { - SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory( - getSSLContext(), hostnameverifier); - clientBuilder.setSSLSocketFactory(sslConnectionFactory); + // Using a custom verifier: we don't want pooled connections + // with this. Registry<ConnectionSocketFactory> registry = RegistryBuilder .<ConnectionSocketFactory> create() .register("https", sslConnectionFactory) @@ -174,6 +180,32 @@ public class HttpClientConnection implements HttpConnection { return client; } + private SSLConnectionSocketFactory getSSLSocketFactory() { + HostnameVerifier verifier = hostnameverifier; + SSLContext context; + if (verifier == null) { + // Use defaults + context = SSLContexts.createDefault(); + verifier = new DefaultHostnameVerifier( + PublicSuffixMatcherLoader.getDefault()); + } else { + // Using a custom verifier. Attention: configure() must have been + // called already, otherwise one gets a "context not initialized" + // exception. In JGit this branch is reached only when hostname + // verification is switched off, and JGit _does_ call configure() + // before we get here. + context = getSSLContext(); + } + return new SSLConnectionSocketFactory(context, verifier) { + + @Override + protected void prepareSocket(SSLSocket socket) throws IOException { + super.prepareSocket(socket); + HttpSupport.configureTLS(socket); + } + }; + } + private SSLContext getSSLContext() { if (ctx == null) { try { |