Skip to content

#2137: fix fix-vpn-tls-problem not detecting TLS certificate issues behind HTTP redirects#2138

Open
maybeec wants to merge 2 commits into
devonfw:mainfrom
maybeec:bugfix/2137-tls-redirect-detection
Open

#2137: fix fix-vpn-tls-problem not detecting TLS certificate issues behind HTTP redirects#2138
maybeec wants to merge 2 commits into
devonfw:mainfrom
maybeec:bugfix/2137-tls-redirect-detection

Conversation

@maybeec

@maybeec maybeec commented Jul 9, 2026

Copy link
Copy Markdown
Member

This PR fixes #2137

ide fix-vpn-tls-problem <url> reported success and did nothing when the given URL redirects (HTTP 30x) to another host whose certificate is the one actually being rejected (e.g. https://aka.ms/vs/17/release/vs_BuildTools.exe used by the msvc/rust installers). The commandlet probed reachability with a hand-rolled raw SSLSocket handshake against the requested host, so the publicly-trusted redirector (aka.ms) passed while the intercepted certificate on the redirect target was never seen. This did not reuse the central redirect-following HttpClient that the actual download uses.

Implemented changes:

  • Added HttpClientFactory (com.devonfw.tools.ide.io) as the single place that builds the redirect-following (Redirect.ALWAYS) HttpClient, and reused it in HttpDownloader, IdeaPluginDownloader and AbstractUrlUpdater (removing the duplicated builders).
  • Reworked TruststoreUtil to probe reachability via isUrlReachable(url, truststore) using that client (following redirects, honoring an optional custom truststore) instead of a raw SSLSocket, and added resolveEffectiveEndpoint(url) which follows redirects to determine the host that actually serves the content.
  • TruststoreCommandlet now probes the URL and captures the certificate from the effective (post-redirect) endpoint. Removed the now-dead raw-socket helpers (isReachable, verifyConnectionWithTruststore).
  • Actionable error on TLS download failuresNetworkStatusImpl now detects the (usually wrapped) SSLHandshakeException across the whole cause chain and logs a clear hint naming the failing URL, warning to verify the endpoint, and giving the ready-to-run ide fix-vpn-tls-problem <url> command. Previously that hint only fired for a raw IOException, so it was bypassed for the IllegalStateException the downloader throws — the user just saw an "unexpected error" and a stack trace (exactly the reported symptom).

Testing instructions

  1. Run mvn clean test — the new tests pass:
    • HttpClientFactoryTest — the central client always follows redirects.
    • TruststoreUtilTest#testResolveEffectiveEndpointFollowsRedirectToFinalHost — a request to server A is resolved to the redirected server B's port (two WireMock HTTPS servers on distinct ports).
    • TruststoreUtilTest#testIsUrlReachableFalseForUntrustedCertificateAndTrueWithCapturedCertificate — an untrusted self-signed endpoint is unreachable by default and reachable once its captured certificate is in the custom truststore.
    • TruststoreCommandletTest#testRunCapturesUntrustedCertificateFollowingRedirectAndConfiguresTruststore — the commandlet follows a redirect over HTTPS, captures the certificate, writes the truststore and configures IDE_OPTIONS.
    • NetworkStatusImplTest — a TLS trust error wrapped in a RuntimeException is still detected and reported with the failing URL and the ide fix-vpn-tls-problem <url> hint.
  2. Tests use a generated CN=localhost (SAN localhost/127.0.0.1) keystore (cli/src/test/resources/truststore/localhost.p12) so the JDK HttpClient hostname verification passes against WireMock.

Checklist for this PR

  • When running mvn clean test locally all tests pass and build is successful
  • PR title is of the form #«issue-id»: «brief summary» (e.g. #921: fixed setup.bat). If no issue ID exists, title only.
  • PR top-level comment summarizes what has been done and contains link to addressed issue(s)
  • PR and issue(s) have suitable labels
  • Issue is set to In Progress and assigned to you or there is no issue (might happen for very small PRs) — issue is assigned; board status "In Progress" still to be set manually
  • You followed all coding conventions
  • You have added the issue implemented by your PR in CHANGELOG.adoc unless issue is labeled with internal
  • You have formulated clear instructions on how to test your contribution under "Testing instructions"

Checklist for tool commandlets

Not applicable — this PR does not introduce a new tool commandlet; it fixes the existing fix-vpn-tls-problem commandlet.

@maybeec maybeec added commandlet ide sub-command bugfix PR that fixes a bug issue download download of tools, plugins, code from git, any HTTP traffic over the network proxy HTTP proxy support labels Jul 9, 2026
@github-project-automation github-project-automation Bot moved this to 🆕 New in IDEasy board Jul 9, 2026
@maybeec maybeec moved this from 🆕 New to Team Review in IDEasy board Jul 9, 2026
@maybeec maybeec force-pushed the bugfix/2137-tls-redirect-detection branch from e9071fe to 872d900 Compare July 9, 2026 08:20
@coveralls

coveralls commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 29010809949

Coverage increased (+0.3%) to 72.484%

Details

  • Coverage increased (+0.3%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 45 coverage regressions across 5 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

45 previously-covered lines in 5 files lost coverage.

File Lines Losing Coverage Coverage
com/devonfw/tools/ide/util/TruststoreUtil.java 27 75.71%
com/devonfw/tools/ide/commandlet/TruststoreCommandlet.java 8 72.88%
com/devonfw/tools/ide/io/HttpDownloader.java 5 62.79%
com/devonfw/tools/ide/network/NetworkStatusImpl.java 4 73.08%
com/devonfw/tools/ide/version/VersionSegment.java 1 91.86%

Coverage Stats

Coverage Status
Relevant Lines: 16727
Covered Lines: 12641
Line Coverage: 75.57%
Relevant Branches: 7470
Covered Branches: 4898
Branch Coverage: 65.57%
Branches in Coverage %: Yes
Coverage Strength: 3.2 hits per line

💛 - Coveralls

@maybeec maybeec force-pushed the bugfix/2137-tls-redirect-detection branch 3 times, most recently from f88c7dc to 38a7a26 Compare July 9, 2026 09:47
…ehind HTTP redirects

Reuse the central redirect-following HttpClient (new HttpClientFactory) for the
truststore reachability check and capture the certificate from the effective
endpoint after following redirects (e.g. https://aka.ms/...), instead of a raw
SSLSocket handshake against the requested host.
@maybeec maybeec force-pushed the bugfix/2137-tls-redirect-detection branch from 38a7a26 to 4022123 Compare July 9, 2026 10:04
@maybeec maybeec requested a review from hohwille July 9, 2026 10:11
@maybeec maybeec added this to the release:2026.07.002 milestone Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix PR that fixes a bug issue commandlet ide sub-command download download of tools, plugins, code from git, any HTTP traffic over the network proxy HTTP proxy support

Projects

Status: Team Review

Development

Successfully merging this pull request may close these issues.

fix-vpn-tls-problem does not detect TLS certificate issues behind HTTP redirects

2 participants