Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Wolf2019-12-31 22:08:10 +0000
committerMatthias Sohn2020-01-03 19:48:25 +0000
commitd661b9f43a091a5b6b5d843f77e79856675435fb (patch)
tree842e48924121a8239e8ef3994d58f48be4cedc92 /org.eclipse.jgit.http.apache/src/org/eclipse/jgit
parent9e6f09c7008171032ee0c0cccb34d7fa4b0ddeb6 (diff)
downloadjgit-d661b9f43a091a5b6b5d843f77e79856675435fb.tar.gz
jgit-d661b9f43a091a5b6b5d843f77e79856675435fb.tar.xz
jgit-d661b9f43a091a5b6b5d843f77e79856675435fb.zip
TLS support on IBM JDKs
SSLContext.getInstance("TLS") by default behaves differently on IBM JDK than on Oracle or OpenJDK.[1] On IBM JDK one gets sockets that have only TLSv1 enabled, which makes HTTPS connections fail since most servers refuse this old protocol version. On Oracle JDK/OpenJDK, one gets sockets with all available protocol versions enabled. Explicitly enable all available TLS protocol versions to make HTTPS connections work also on IBM JDK. [1] https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html#matchsslcontext_tls Bug: 558709 Change-Id: I5ffc57a78e67a6239b9dad54840a49a8ed28930a Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch> Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Diffstat (limited to 'org.eclipse.jgit.http.apache/src/org/eclipse/jgit')
-rw-r--r--org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java40
1 files changed, 36 insertions, 4 deletions
diff --git a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java
index 9d9e2f882d..61afaaef50 100644
--- a/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java
+++ b/org.eclipse.jgit.http.apache/src/org/eclipse/jgit/transport/http/apache/HttpClientConnection.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Christian Halstrick <christian.halstrick@sap.com>
+ * Copyright (C) 2013, 2020 Christian Halstrick <christian.halstrick@sap.com>
* and other copyright owners as documented in the project's IP log.
*
* This program and the accompanying materials are made available
@@ -69,6 +69,7 @@ import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import org.apache.http.Header;
@@ -89,14 +90,18 @@ import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.util.PublicSuffixMatcherLoader;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.client.SystemDefaultCredentialsProvider;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
+import org.apache.http.ssl.SSLContexts;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.transport.http.HttpConnection;
import org.eclipse.jgit.transport.http.apache.internal.HttpApacheText;
+import org.eclipse.jgit.util.HttpSupport;
import org.eclipse.jgit.util.TemporaryBuffer;
import org.eclipse.jgit.util.TemporaryBuffer.LocalFile;
@@ -153,10 +158,11 @@ public class HttpClientConnection implements HttpConnection {
configBuilder
.setRedirectsEnabled(followRedirects.booleanValue());
}
+ SSLConnectionSocketFactory sslConnectionFactory = getSSLSocketFactory();
+ clientBuilder.setSSLSocketFactory(sslConnectionFactory);
if (hostnameverifier != null) {
- SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(
- getSSLContext(), hostnameverifier);
- clientBuilder.setSSLSocketFactory(sslConnectionFactory);
+ // Using a custom verifier: we don't want pooled connections
+ // with this.
Registry<ConnectionSocketFactory> registry = RegistryBuilder
.<ConnectionSocketFactory> create()
.register("https", sslConnectionFactory)
@@ -174,6 +180,32 @@ public class HttpClientConnection implements HttpConnection {
return client;
}
+ private SSLConnectionSocketFactory getSSLSocketFactory() {
+ HostnameVerifier verifier = hostnameverifier;
+ SSLContext context;
+ if (verifier == null) {
+ // Use defaults
+ context = SSLContexts.createDefault();
+ verifier = new DefaultHostnameVerifier(
+ PublicSuffixMatcherLoader.getDefault());
+ } else {
+ // Using a custom verifier. Attention: configure() must have been
+ // called already, otherwise one gets a "context not initialized"
+ // exception. In JGit this branch is reached only when hostname
+ // verification is switched off, and JGit _does_ call configure()
+ // before we get here.
+ context = getSSLContext();
+ }
+ return new SSLConnectionSocketFactory(context, verifier) {
+
+ @Override
+ protected void prepareSocket(SSLSocket socket) throws IOException {
+ super.prepareSocket(socket);
+ HttpSupport.configureTLS(socket);
+ }
+ };
+ }
+
private SSLContext getSSLContext() {
if (ctx == null) {
try {

Back to the top