Skip to content

Commit 4225bf9

Browse files
committed
Re-Enable Hostname Verification
This patch is a minimal change to re-enable HTTPS hostname verification of Opencast's HTTP client used for a large portion its HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.
1 parent 4b90543 commit 4225bf9

File tree

1 file changed

+1
-136
lines changed

1 file changed

+1
-136
lines changed

Diff for: modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java

+1-136
Original file line numberDiff line numberDiff line change
@@ -27,28 +27,12 @@
2727
import org.apache.http.client.CredentialsProvider;
2828
import org.apache.http.client.methods.HttpUriRequest;
2929
import org.apache.http.conn.ClientConnectionManager;
30-
import org.apache.http.conn.scheme.Scheme;
31-
import org.apache.http.conn.scheme.SchemeRegistry;
32-
import org.apache.http.conn.ssl.SSLSocketFactory;
33-
import org.apache.http.conn.ssl.X509HostnameVerifier;
3430
import org.apache.http.impl.client.DefaultHttpClient;
3531
import org.apache.http.params.HttpParams;
3632
import org.slf4j.Logger;
3733
import org.slf4j.LoggerFactory;
3834

3935
import java.io.IOException;
40-
import java.security.KeyManagementException;
41-
import java.security.NoSuchAlgorithmException;
42-
import java.security.SecureRandom;
43-
import java.security.cert.CertificateException;
44-
import java.security.cert.X509Certificate;
45-
46-
import javax.net.ssl.SSLContext;
47-
import javax.net.ssl.SSLException;
48-
import javax.net.ssl.SSLSession;
49-
import javax.net.ssl.SSLSocket;
50-
import javax.net.ssl.TrustManager;
51-
import javax.net.ssl.X509TrustManager;
5236

5337
/** Implementation of HttpClient that makes http requests. */
5438
public class HttpClientImpl implements HttpClient {
@@ -57,7 +41,7 @@ public class HttpClientImpl implements HttpClient {
5741
private static final Logger logger = LoggerFactory.getLogger(HttpClientImpl.class);
5842

5943
/** client used for all http requests. */
60-
private DefaultHttpClient defaultHttpClient = makeHttpClient();
44+
private DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
6145

6246
/** See org.opencastproject.kernel.http.api.HttpClient */
6347
@Override
@@ -83,123 +67,4 @@ public ClientConnectionManager getConnectionManager() {
8367
return defaultHttpClient.getConnectionManager();
8468
}
8569

86-
/**
87-
* Creates a new client that can deal with all kinds of oddities with regards to http/https connections.
88-
*
89-
* @return the client
90-
*/
91-
private DefaultHttpClient makeHttpClient() {
92-
93-
DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
94-
try {
95-
logger.debug("Installing forgiving hostname verifier and trust managers");
96-
X509TrustManager trustManager = createTrustManager();
97-
X509HostnameVerifier hostNameVerifier = createHostNameVerifier();
98-
SSLContext sslContext = SSLContext.getInstance("TLS");
99-
sslContext.init(null, new TrustManager[] { trustManager }, new SecureRandom());
100-
SSLSocketFactory ssf = new SSLSocketFactory(sslContext, hostNameVerifier);
101-
ClientConnectionManager ccm = defaultHttpClient.getConnectionManager();
102-
SchemeRegistry sr = ccm.getSchemeRegistry();
103-
sr.register(new Scheme("https", 443, ssf));
104-
} catch (NoSuchAlgorithmException e) {
105-
logger.error("Error creating context to handle TLS connections: {}", e.getMessage());
106-
} catch (KeyManagementException e) {
107-
logger.error("Error creating context to handle TLS connections: {}", e.getMessage());
108-
}
109-
110-
return defaultHttpClient;
111-
}
112-
113-
/**
114-
* Returns a new trust manager which will be in charge of checking the SSL certificates that are being presented by
115-
* SSL enabled hosts.
116-
*
117-
* @return the trust manager
118-
*/
119-
private X509TrustManager createTrustManager() {
120-
X509TrustManager trustManager = new X509TrustManager() {
121-
122-
/**
123-
* {@InheritDoc}
124-
*
125-
* @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
126-
*/
127-
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
128-
logger.trace("Skipping trust check on client certificate {}", string);
129-
}
130-
131-
/**
132-
* {@InheritDoc}
133-
*
134-
* @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
135-
*/
136-
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
137-
logger.trace("Skipping trust check on server certificate {}", string);
138-
}
139-
140-
/**
141-
* {@InheritDoc}
142-
*
143-
* @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
144-
*/
145-
public X509Certificate[] getAcceptedIssuers() {
146-
logger.trace("Returning empty list of accepted issuers");
147-
return null;
148-
}
149-
150-
};
151-
152-
return trustManager;
153-
}
154-
155-
/**
156-
* Creates a host name verifier that will make sure the SSL host's name matches the name in the SSL certificate.
157-
*
158-
* @return the host name verifier
159-
*/
160-
private X509HostnameVerifier createHostNameVerifier() {
161-
X509HostnameVerifier verifier = new X509HostnameVerifier() {
162-
163-
/**
164-
* {@InheritDoc}
165-
*
166-
* @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, javax.net.ssl.SSLSocket)
167-
*/
168-
public void verify(String host, SSLSocket ssl) throws IOException {
169-
logger.trace("Skipping SSL host name check on {}", host);
170-
}
171-
172-
/**
173-
* {@InheritDoc}
174-
*
175-
* @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, java.security.cert.X509Certificate)
176-
*/
177-
public void verify(String host, X509Certificate xc) throws SSLException {
178-
logger.trace("Skipping X509 certificate host name check on {}", host);
179-
}
180-
181-
/**
182-
* {@InheritDoc}
183-
*
184-
* @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, java.lang.String[],
185-
* java.lang.String[])
186-
*/
187-
public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
188-
logger.trace("Skipping DNS host name check on {}", host);
189-
}
190-
191-
/**
192-
* {@InheritDoc}
193-
*
194-
* @see javax.net.ssl.HostnameVerifier#verify(java.lang.String, javax.net.ssl.SSLSession)
195-
*/
196-
public boolean verify(String host, SSLSession ssl) {
197-
logger.trace("Skipping SSL session host name check on {}", host);
198-
return true;
199-
}
200-
};
201-
202-
return verifier;
203-
}
204-
20570
}

0 commit comments

Comments
 (0)