[Bug 3236] New: Allow for insecure https connections via some config value

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Mon Nov 21 16:45:22 UTC 2016 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3236

            Bug ID: 3236
           Summary: Allow for insecure https connections via some config
                    value
           Product: Thermostat
           Version: hg
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Thermostat
          Assignee: unassigned at icedtea.classpath.org
          Reporter: sgehwolf at redhat.com
                CC: thermostat at icedtea.classpath.org

When thermostat tries to connect to a https:// connection it tries to verify
the issuer of the peer certificate. If that fails with the default trust store
the connect attempt fails. The stack trace looks similar to this:

sun.security.validator.ValidatorException: No trusted certificate found
    at
sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:394)
    at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:133)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
    at
com.redhat.thermostat.common.internal.CustomX509TrustManager.checkServerTrusted(CustomX509TrustManager.java:179)
    at
sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)
    at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)
    at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)
    at
org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
    at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
    at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
    at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
    at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
    at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
    at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
    at
com.redhat.thermostat.web.client.internal.WebStorage.postImpl(WebStorage.java:501)
    at
com.redhat.thermostat.web.client.internal.WebStorage.post(WebStorage.java:471)
    at
com.redhat.thermostat.web.client.internal.WebStorage.ping(WebStorage.java:445)
    at
com.redhat.thermostat.web.client.internal.WebStorage.access$000(WebStorage.java:128)
    at
com.redhat.thermostat.web.client.internal.WebStorage$WebConnection.connect(WebStorage.java:226)
    at
com.redhat.thermostat.storage.internal.DbServiceImpl.doSynchronousConnect(DbServiceImpl.java:131)
    at
com.redhat.thermostat.storage.internal.DbServiceImpl.connect(DbServiceImpl.java:106)
    at
com.redhat.thermostat.client.cli.internal.ConnectCommand.run(ConnectCommand.java:108)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.parseArgsAndRunCommand(LauncherImpl.java:353)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.runCommand(LauncherImpl.java:299)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.runCommandFromArguments(LauncherImpl.java:288)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.run(LauncherImpl.java:170)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.run(LauncherImpl.java:149)
    at
com.redhat.thermostat.launcher.internal.ShellCommand.launchCommand(ShellCommand.java:211)
    at
com.redhat.thermostat.launcher.internal.ShellCommand.handleConsoleInput(ShellCommand.java:187)
    at
com.redhat.thermostat.launcher.internal.ShellCommand.shellMainLoop(ShellCommand.java:169)
    at
com.redhat.thermostat.launcher.internal.ShellCommand.run(ShellCommand.java:138)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.parseArgsAndRunCommand(LauncherImpl.java:353)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.runCommand(LauncherImpl.java:299)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.runCommandFromArguments(LauncherImpl.java:288)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.run(LauncherImpl.java:170)
    at
com.redhat.thermostat.launcher.internal.LauncherImpl.run(LauncherImpl.java:149)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
com.redhat.thermostat.main.impl.FrameworkProvider.callVoidReflectedMethod(FrameworkProvider.java:272)
    at
com.redhat.thermostat.main.impl.FrameworkProvider.runLauncher(FrameworkProvider.java:245)
    at
com.redhat.thermostat.main.impl.FrameworkProvider.start(FrameworkProvider.java:93)
    at com.redhat.thermostat.main.Thermostat.start(Thermostat.java:65)
    at com.redhat.thermostat.main.Thermostat.main(Thermostat.java:58)

If the user knows that the https peer is using a self signed cert, it might be
a legitimate use case to try the connection anyway (similar to curl's
--insecure) for testing purposes.

We could for example achieve this by some property in ssl.properties or via
some global flag --insecure. I tend to favour the former as it would allow a
user to use it in more than one command.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20161121/300f7170/attachment.html>

More information about the distro-pkg-dev mailing list