From d661b9f43a091a5b6b5d843f77e79856675435fb Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Tue, 31 Dec 2019 23:08:10 +0100 Subject: TLS support on IBM JDKs SSLContext.getInstance("TLS") by default behaves differently on IBM JDK than on Oracle or OpenJDK.[1] On IBM JDK one gets sockets that have only TLSv1 enabled, which makes HTTPS connections fail since most servers refuse this old protocol version. On Oracle JDK/OpenJDK, one gets sockets with all available protocol versions enabled. Explicitly enable all available TLS protocol versions to make HTTPS connections work also on IBM JDK. [1] https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html#matchsslcontext_tls Bug: 558709 Change-Id: I5ffc57a78e67a6239b9dad54840a49a8ed28930a Signed-off-by: Thomas Wolf Signed-off-by: Matthias Sohn --- .../http/apache/HttpClientConnection.java | 40 +++++++++++++++++++--- 1 file changed, 36 insertions(+), 4 deletions(-) (limited to 'org.eclipse.jgit.http.apache/src') diff --git a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java index 9d9e2f882d..61afaaef50 100644 --- a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java +++ b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Christian Halstrick + * Copyright (C) 2013, 2020 Christian Halstrick * and other copyright owners as documented in the project's IP log. * * This program and the accompanying materials are made available @@ -69,6 +69,7 @@ import java.util.stream.Collectors; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import org.apache.http.Header; @@ -89,14 +90,18 @@ import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.util.PublicSuffixMatcherLoader; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.SystemDefaultCredentialsProvider; import org.apache.http.impl.conn.BasicHttpClientConnectionManager; +import org.apache.http.ssl.SSLContexts; import org.eclipse.jgit.annotations.NonNull; import org.eclipse.jgit.transport.http.HttpConnection; import org.eclipse.jgit.transport.http.apache.internal.HttpApacheText; +import org.eclipse.jgit.util.HttpSupport; import org.eclipse.jgit.util.TemporaryBuffer; import org.eclipse.jgit.util.TemporaryBuffer.LocalFile; @@ -153,10 +158,11 @@ public class HttpClientConnection implements HttpConnection { configBuilder .setRedirectsEnabled(followRedirects.booleanValue()); } + SSLConnectionSocketFactory sslConnectionFactory = getSSLSocketFactory(); + clientBuilder.setSSLSocketFactory(sslConnectionFactory); if (hostnameverifier != null) { - SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory( - getSSLContext(), hostnameverifier); - clientBuilder.setSSLSocketFactory(sslConnectionFactory); + // Using a custom verifier: we don't want pooled connections + // with this. Registry registry = RegistryBuilder . create() .register("https", sslConnectionFactory) @@ -174,6 +180,32 @@ public class HttpClientConnection implements HttpConnection { return client; } + private SSLConnectionSocketFactory getSSLSocketFactory() { + HostnameVerifier verifier = hostnameverifier; + SSLContext context; + if (verifier == null) { + // Use defaults + context = SSLContexts.createDefault(); + verifier = new DefaultHostnameVerifier( + PublicSuffixMatcherLoader.getDefault()); + } else { + // Using a custom verifier. Attention: configure() must have been + // called already, otherwise one gets a "context not initialized" + // exception. In JGit this branch is reached only when hostname + // verification is switched off, and JGit _does_ call configure() + // before we get here. + context = getSSLContext(); + } + return new SSLConnectionSocketFactory(context, verifier) { + + @Override + protected void prepareSocket(SSLSocket socket) throws IOException { + super.prepareSocket(socket); + HttpSupport.configureTLS(socket); + } + }; + } + private SSLContext getSSLContext() { if (ctx == null) { try { -- cgit v1.2.3