eclipse-ee4j / jersey

Eclipse Jersey Project - Read our Wiki:
https://github.com/eclipse-ee4j/jersey/wiki
Other
692 stars 355 forks source link

Custom javax.net.ssl.TrustManager is overwritten in org.glassfish.jersey.client.internal.HttpUrlConnector#secureConnection #3542

Open jerseyrobot opened 7 years ago

jerseyrobot commented 7 years ago

Environment: jersey-client-2.25.1

In development one might wish to use self signed certificates and to ease development one can do something like this: `// Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { @Override public X509Certificate[] getAcceptedIssuers() {return null;} @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} } };

// Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());`

This does not work because in org.glassfish.jersey.client.internal.HttpUrlConnector#secureConnection the check if (HttpsURLConnection.getDefaultSSLSocketFactory() == suc.getSSLSocketFactory()) is true and the suc.setSSLSocketFactory(sslSocketFactory.get()); overwrites the custom trust manager.

There are use cases in which the jersey client is wrapped in custom libraries and it is not exposed as a public API. In such cases the "clean" solution cannot be used by the client of the custom library: Client client = ClientBuilder.newBuilder().sslContext(ctx).hostnameVerifier(new AllowAllHostsHostNameVerifier()).build()

jerseyrobot commented 6 years ago
jerseyrobot commented 7 years ago

@gauravsak Commented @Tiberiu-urss Hi, if you know what the solution is, could you please submit a pull request? Thanks

jerseyrobot commented 7 years ago

@pavelbucek Commented @Tiberiu-urss isn't described problem more like a bug of a library which wraps / doesn't expose JAX-RS/Jersey API?