SONAR-7498 OkHttpClient doesn't use ssl socket factory by default

since we didn't set it for Java 8, SSL connections opened with OkHttpClient under Java 8 didn't have any of the SSL parameters

2 files changed, 17 insertions, 7 deletions

diff --git a/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java b/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
index d8cf31b5c5c..4c0917f751c 100644
--- a/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
+++ b/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
@@ -97,6 +97,19 @@ public class HttpConnector implements WsConnector {
       .supportsTlsExtensions(true)
       .build();
     this.okHttpClient.setConnectionSpecs(asList(tls, ConnectionSpec.CLEARTEXT));
+    this.okHttpClient.setSslSocketFactory(createSslSocketFactory(javaVersion));
+  }
+
+  private static SSLSocketFactory createSslSocketFactory(JavaVersion javaVersion) {
+    try {
+      SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
+      return enableTls12InJava7(sslSocketFactory, javaVersion);
+    } catch (Exception e) {
+      throw new IllegalStateException("Fail to init TLS context", e);
+    }
+  }
+
+  private static SSLSocketFactory enableTls12InJava7(SSLSocketFactory sslSocketFactory, JavaVersion javaVersion) {
     if (javaVersion.isJava7()) {
       // OkHttp executes SSLContext.getInstance("TLS") by default (see
       // https://github.com/square/okhttp/blob/c358656/okhttp/src/main/java/com/squareup/okhttp/OkHttpClient.java#L616)
@@ -104,12 +117,9 @@ public class HttpConnector implements WsConnector {
       // in order to support all versions from 1.0 to 1.2.
       // Note that this is not overridden for Java 8 as TLS 1.2 is enabled by default.
       // Keeping getInstance("TLS") allows to support potential future versions of TLS on Java 8.
-      try {
-        this.okHttpClient.setSslSocketFactory(new Tls12Java7SocketFactory((SSLSocketFactory) SSLSocketFactory.getDefault()));
-      } catch (Exception e) {
-        throw new IllegalStateException("Fail to init TLS context", e);
-      }
+      return new Tls12Java7SocketFactory(sslSocketFactory);
     }
+    return sslSocketFactory;
   }
 
   @Override
diff --git a/sonar-ws/src/test/java/org/sonarqube/ws/client/HttpConnectorTest.java b/sonar-ws/src/test/java/org/sonarqube/ws/client/HttpConnectorTest.java
index ed8b8d001e6..a18407bd28b 100644
--- a/sonar-ws/src/test/java/org/sonarqube/ws/client/HttpConnectorTest.java
+++ b/sonar-ws/src/test/java/org/sonarqube/ws/client/HttpConnectorTest.java
@@ -25,6 +25,7 @@ import com.squareup.okhttp.mockwebserver.MockWebServer;
 import com.squareup.okhttp.mockwebserver.RecordedRequest;
 import java.io.File;
 import java.util.List;
+import javax.net.ssl.SSLSocketFactory;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
@@ -281,8 +282,7 @@ public class HttpConnectorTest {
     HttpConnector underTest = new HttpConnector.Builder().url(serverUrl).build(javaVersion);
 
     assertTlsAndClearTextSpecifications(underTest);
-    // do not override the default TLS context provided by java 8
-    assertThat(underTest.okHttpClient().getSslSocketFactory()).isNull();
+    assertThat(underTest.okHttpClient().getSslSocketFactory()).isInstanceOf(SSLSocketFactory.getDefault().getClass());
   }
 
   private void assertTlsAndClearTextSpecifications(HttpConnector underTest) {